Storage can no longer be an afterthought for CIOs. The massive cybersecurity threats that daily beset enterprise organizations have completely recalibrated how enterprise storage needs to be calculated into the corporate overall cybersecurity strategy.
Keeping storage separate, as if in a silo, from your company’s comprehensive cybersecurity strategy is not only a lost opportunity, but, more importantly, it is also a trigger for increasing the risk of a cyber attack infiltrating, disrupting, costing, and making your company’s data a target for ransomware or malware.
The reality of storage has changed over the past 18+ months and, because it hasn’t gotten nearly enough play in the media that it deserves, it’s understandable if CIOs and their IT teams have missed grasping the full extent and all the details of this shift. With the stakes so high amid an ever-increasing cyber threat landscape, the time has come for a “storage reality-check” in the context of cybersecurity.
CIOs and CISOs aren’t the only leaders who are concerned about cyber threats. The threat of cyberattacks has become so prevalent that in a Fortune 500 survey of CEOs in mid-2021, 66% of Fortune 500 CEOs said their No. 1 concern in the next three years is cybersecurity. Similarly, in a KPMG CEO survey in March 2021, CEOs also said cybersecurity is a top priority.
According to IDC’s Board of Directors survey, cybersecurity tops the list of most challenging issues for which boards of directors provide oversight. Most board members are more concerned about a data breach than any other crisis. It’s no wonder why the World Economic Forum named cybersecurity as one of their top five priorities over the past couple of years.
No enterprise wants to be hit by cyberattacks, which have costly impacts on the business. The security decision-makers in companies often equate security with firewalls, network, and edge protection and how to track the “bad guys” down when they breach the firewall. What they do not realize is that cyber criminals are altering, destroying, or stealing data.
The average number of days to identify and contain a data breach, according to security analysts, is 287 days. Enormous damage can be inflicted within 287 days. Too many enterprises are not truly equipped and prepared to deal with it. The stakes continue to rise amid daunting threats.
Nonetheless, companies need to ensure that data, which is the lifeblood of their business, is always available. The drive to modernize the data protection and cyber resilence capabilities of an enterprise’s storage infrastructure needs to accelerate. Every possession in a company’s storage estate needs to be cyber resilient, designed to thwart ransomware, malware, internal cyber threats, and other potential attacks.
This surge in awareness and prioritization around protecting a company’s data is so significant that even the US government has changed laws and created new legislation to help combat cyberattacks.
New US law for cybersecurity
In March 2022, President Joe Biden signed the Strengthening American Cybersecurity Act of 2022 into law. It requires certain types of companies to report cybersecurity incidents to a federal agency within 72 hours and any ransomware payment within 24 hours. It tightens up organizations’ obligations around cyber incident reporting.
In a statement after the House approved the measures, bipartisan leaders from the House Homeland Security Committee said: The new rules “will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector, so they can defend against future attacks.”
On March 9, the US Securities and Exchange Commission proposed a rule that publicly traded companies disclose data breaches and other significant cybersecurity incidents within four days. This is not necessarily new for multinational companies. In Europe, the EU’s General Data Protection Regulation (GDPR) has required any organization handling the data of European citizens to notify authorities within 72 hours of becoming aware of a breach.
What to do about it?
CIOs need to think of storage as part of their overall enterprise cyber security strategy. It is critical to increase your organization’s storage cyber resilience as a safeguard against cyberattacks that could cripple your business.
Cyberattacks have become sophisticated, pervasive, and aggressive, targeting both primary storage and secondary storage. So, changing the paradigm from an overall corporate security perspective is imperative. A cyber resilience solution is effective when it provides guaranteed availability and a fully scaled data restoration for business continuity.
You need to take an end-to-end approach to stay ahead of cybersecurity threats. This entails evaluating the relationship between cybersecurity, storage, and cyber resilience. Primary storage and secondary storage need to be protected, ranging from logical air gapping to real-time data encryption to immutable copies of your data to instantaneous recovery.
On the primary storage front, it is essential to conduct a detailed analysis of the data, determine what data needs to be encrypted and what doesn’t, what needs cyber resilience and what doesn’t, and figure out how the protection needs keep your company in compliance – especially if your company is in a regulated market, such as financial services, pharmaceuticals or healthcare, or if your company is publicly traded.
On the secondary storage front, you need to decide what to do for modern data protection (a term that was previously known as “back up” in the past) and how to make that cyber resilient. Additionally, you need to create a storage plan for data replication/snapshots to meet your requirements for disaster recovery and business continuity.
The bottom line is that cybersecurity must go hand-in-hand with storage cyber resilience.
For more information, visit Infinidat here.