As we reflect on the past 10 years, and head into a new decade of resiliency innovation, there have been a tremendous amount of innovations that have set the standard for how businesses recover from disasters. These range from the use of cloud for Disaster Recovery to the ability to orchestrate a complex, hybrid recovery program with one tool. However, the number of cyber attacks and their business impact have grown significantly as well. Cyber breaches are no longer a question of “if one will happen,” but “when will it happen” and “how severe will the impact be.” From financial loss, business disruptions, damage of reputation and regulatory actions, the cost of a data breach is huge. Therefore, some data protection industry insights would be majorly beneficial to IT professionals.
With these cyberattacks and data breaches becoming an inevitable reality today, IT leaders are under enormous pressure to step up their security and resiliency practices, products and services. The IBM cyber resiliency approach uses advanced technologies and best practices to help assess risks, prioritize and protect business-critical applications and data, and rapidly recover IT during and after a cyber-attack.
As General Manager, Andrea Sayles sits at the helm of IBM Business Resiliency Services – an important part of the IBM Services business, working to help enterprises maintain mission-critical business operations and rapidly recover IT in the event of a cyber-attack. Following her recent participation in the First Annual Solutions Review BI Insight Jam, here she shares her views on key data protection industry insights and how to assess your resiliency readiness in the new year and beyond.
Data Protection Industry Insights:
Cyber-attacks will impact businesses on a larger scale
There have always been business risks – whether attributed to human error, weather, or other disasters. However, according to Sayles, the fastest and most impactful risk to businesses today is the threat from a cyber-attack.
Traditional disaster recovery programs and practices do not properly address cyber or the ability to restore normal business operations following an attack. In the past, with natural disasters or weather events, simply having a business continuity plan, using your backup files from yesterday to restore your IT infrastructure or using an alternate work area for your people were sufficient. “With today’s new threats,” says Sayles, “businesses need to be thinking about automating and orchestrating your disaster recovery and running it as a service.”
Flexibility is key in the data protection industry
With cyber-attacks happening every 39 seconds on average (A Clark School study at the University of Maryland, 2019) on systems with internet access each day in the United States, it is impossible to predict when something will go awry. Sayles suggests that companies that are flexible will find greater success in DR planning in the long run. “Being flexible and open to refining your strategy is really important for a sound IT recovery plan,” she says. “Preparedness for any type of event will allow for better defense against future attacks, even if you don’t know the nature of exactly what they will be.”
Moving away from manual to automation
One part of becoming more flexible with a cyber resiliency strategy is to move from a manually operated DR infrastructure to an automated one. When a system goes down, according to a 2019 IBM sponsored Ponemon Institute study, the global average cost per incident is on average $3.926 million, for companies who experienced a breach of 10,000 to 100,000 records. This number jumps up to $388 million for companies who experienced a mega data breach of 50 million records. The pressure on IT administrators is high to make sure that downtime does not disrupt productivity and business financial results, and they often struggle when working to manually execute the steps to get their systems up and running again while under intense stress and scrutiny.
“With an automated system – combined with proper planning, testing, and implementation of DR plans and solutions – it saves time and money,” says Sayles. “Automated DR versus manual DR mechanizes the entire recovery process so that it can take minutes instead of hours.”
Get full buy-in from your executives
Your business continuity plan, resiliency, and data protection strategy and plans need executive support and/or sponsorship, up to the C-Suite. The plans need to be based on cross-functional feedback, and not just from IT’s point of view, and everybody in your company needs to be trained on how to look for and protect the company from cyber-attacks. As a result, having a sound strategy can have a positive impact on overall business results.
When teams are not fully aligned on a cyber resiliency strategy, perception gaps can exist between who is responsible for handling the disaster versus who bears the cost when it happens. This missed communication puts resiliency at risk. For example, a recent joint study by IBM and Forbes cited that just 27% of surveyed executives believe their top management understands the difference between mitigating cyber risk, and working toward a more comprehensive, orchestrated, dynamic cyber resiliency strategy.