We Need To Re-Look At Our Cyber Resiliency Framework!
Commvault offers the industry's broadest portfolio of Intelligent Data Services Platforms and future-proof architecture. This provides unprecedented choice to our customers and is available via SaaS with Metallic, integrated appliance with HyperScale X, enterprise software, or managed services with our partners. In an interaction with Indranil Chakraborty, Editor, Silicon India, Marco Fanizzi, Corporate SVP & GM - Commvault International, and Balaji Rao, Area Vice President, India, and SAARC, Commvault share their views on cyber resiliency. Marco Fanizzi currently runs the international business for Commvault and has been a part of the industry for over 33 years. Balaji Rao has been in the industry for over two decades, focusing on building businesses across different verticals such as enterprise, government, commercial, and channel.
What are the top priorities of CIOs for 2023, especially with the looming recession and evolving threat landscapes?
Marco Fanizzi: As a part of my role, I have the opportunity to meet CIOs all across the international organization, especially in Europe, the Middle East, Africa, Asia, and ANZ. The issues and the priorities for business and markets are the same, but the level of maturity differs for each country. While ANZ and the UK are adopting a multi-cloud approach more broadly, other places are more laggard or have restrictions from the law.
The usual priorities for the CIOs consist of finding swift responses to business needs, maintaining a budget at the same level or lower, and defending the company from ransomware risks that are now taking center stage.
Balaji Rao: From an Indian context, the priorities in terms of digitalization – technology and its alignment with business will be the same as in 2022. However, we see increased adoption of cloud technologies. There is a push from the Board to boost cloud capabilities, questioning investments in physical data centres.
Additionally, as Marco mentioned, the CIO’s position has become more important, and they have a seat on the Board now. Business continuity has become a serious issue with cyber and ransomware attacks across large, medium, and small enterprises. It takes almost 20 odd days for a company to recover on a usual scale unless you're prepared. This is forcing the organizations, boards, and CIOs to relook at their security strategy.
You mentioned that cyber security has garnered importance since the pandemic, and the focus on the use of the cloud has increased. So, can we assume that these cyber attacks have happened because we did not prepare for this level of cloud use?
Balaji Rao: People are shifting to work from anywhere, and hence the level of security also sees a shift, opening Pandora's box. Remote working leads to several open points through which bad actors enter the organizations. The cloud does help provide layers of security and protect data to a certain extent. These multiple layers of security are provided by cloud vendors like Azure, OCI, or whoever you may choose as your hyperscale provider. It is not that ransomware was not a threat before the pandemic, but it has definitely seen an acceleration during the pandemic.
Marco Fanizzi: Recent security reports have showcased how security breaches are mostly generated by processes and people rather than just technology. In 20% - 50% of the cases, technology is responsible for security threats, but often it is the process as well as the people that act as the point for attackers to get in. Since the onset of the pandemic, companies have amped up their infrastructure for employees to continue business remotely but many risks continue to exist in this new model.
The latest Commvault- IDC study also highlighted that 20% of organizations were forced to pay a ransom amount between US$25,001 to US$50,000. The study further highlighted that the ransomware attacks generated today start when they enter your perimeter. About 37% of organizations stated that their sensitive or secret data was exfiltrated, while 53% of the respondents mentioned that ransom was paid, but 49% of organizations were still unable to access systems or data. These attackers stay in your perimeter for months so that they can understand what mechanisms are in place to protect your data. Compared to the past, this is a completely different approach to ransomware attacks, and therefore companies were not prepared for this change that occurred.
Balaji Rao: Companies need to relook at and work on their strategies every two years. They cannot be operating with the strategy for five years, this is not sustainable. With the significant disruption in the space, companies need to change their strategies to align with the current market conditions. Today, many CIOs are working on new cyber security strategy and the Board is also invested in the new cyber strategy blueprints.
Recently, the AIIMS Delhi systems were hacked. The hackers attacked the system 1200-1400 times in 24 hours. How is it that with the same system in place, attackers were not able to hack into it before?
Balaji Rao: Cybersecurity is a complex field, with endpoint security now evolved and becoming more complex with malware threat analysis as they integrate with the SIEM and the SOAR. They also have a built-in firewall now.
When systems upgrade, they are meant to comply with the security protocols. If this is not followed, it opens loopholes that can be exploited by attackers. Even in well-run organizations, it is difficult to maintain these systems. For example, there may have been an upgrade that could have disabled the endpoint security for a brief time, which as a result may have let the attackers in. I used to be in a company where we did consistent cyber audits but when the software was not properly implemented on one of the remote desktops, it left a gate open for a possible attack.
Additionally, employees need to understand proper cyber hygiene along with the security risks associated with their actions and identify cyber-attacks they may encounter via email and the web.
Moving to my next question, there is a concept called Cyber deception, what is this? What I understand from here, is that this is something where you can't allow malicious activity from the outside in your database or your centre.
Balaji Rao: Cyber deception is a proactive security and defense tactic that hinges on deceiving bad actors and malicious attacks. It arms today’s businesses with early warning signals into ransomware attacks. Using sophisticated decoys, cyber deception solutions engage bad actors the moment an attack begins. This delivers a multi-layered defense against ongoing attacks, equipping businesses with capabilities to immediately divert and spot silent threats – before data is lost, damaged, or compromised.
Commvault expanded its Metallic portfolio and launched Metallic ThreatWise in 2022. It is a data security service delivering integrated cyber deception across our award-winning DMaaS portfolio, to proactively defend data and enhance recoverability, before encryption, leakage, exfiltration, or damage. Even the stealthiest zero-day attacks are detected and diverted despite their efforts to circumvent traditional detection tech and security controls.
Marco Fanizzi: With the acquisition of TrapX (an Israel-based cyber-security company), now called ThreatWise, the solution provides real-time alerts helping to gain quick visibility to a potential attack and protect the crown jewels of our customers. We have a solution called the Metallic Recovery Reserve that copies data outside of your data centre, creating an air gap solution to ensure data is safe and recoverable, and checking the data before copying it. If you have a solution that is based on Azure, you can have your copy on Azure. If something happens, you can recover your data by visiting with a snapshot.
Balaji Rao: There has been an encouraging response towards Threatwise so far and a hot topic for most companies. We launched it recently and already have quite a few existing and prospective customers looking at it.
How has the threat landscape evolved over the years? And what can be expected in 2023?
Balaji Rao: I think ransomware will only continue to rise with more sophistication. Additionally, we are seeing the threat landscape evolve into geopolitical situations as well. A recent study by Commvault-IDC revealed that close to 49% of Indian enterprises cited malicious attacks damaging their backup and data recovery. We will have to deal with this evolving landscape. Throwing more security products at it is not the solution because your data, your workloads, and your endpoints are all spread across the cloud, on-premises, and everywhere in between. What you need is unification and simplicity, with the ability to scale.
While we continue to strengthen security, we need to relook at our cyber resiliency framework. A cyber-resilient data recovery ensures a safe copy of the data in the cloud or data centre, where nobody can touch it. Today, we have a platform strong enough to restore crucial data in 3 hours, non-crucial data in 10 hours, and all the data in 3 days. It is better than being down for 20-25 days, which is common during a ransomware attack. This is exactly what the boards are looking for from their CIOs.
Marco Fanizzi: Moreover, AI will play an increasingly important role both for malicious purposes and to build more proactive and pre-emptive cybersecurity strategies. Organizations are not willing to buy products that do not comply with a strategic security approach. Data is the new oil, as it can be used to derive insights and thrive in a rapidly shifting marketplace. In this scenario, with no data recovery strategy in place, the consequences of ransomware or any malware attack can leave sensitive data exposed and lead to a costly, lengthy recovery. We will see ransomware flourish as 55% of organizations will migrate their data protection systems to a cloud-centric model by 2025.
It is imperative, now more than ever, for businesses to redesign their enterprise infrastructure strategies, align their policies, and address security concerns. A resilient cybersecurity framework will thus become a fundamental cornerstone of businesses in 2023, as organizations embrace the mantra of expecting the unexpected.
What are the top priorities of CIOs for 2023, especially with the looming recession and evolving threat landscapes?
Marco Fanizzi: As a part of my role, I have the opportunity to meet CIOs all across the international organization, especially in Europe, the Middle East, Africa, Asia, and ANZ. The issues and the priorities for business and markets are the same, but the level of maturity differs for each country. While ANZ and the UK are adopting a multi-cloud approach more broadly, other places are more laggard or have restrictions from the law.
The usual priorities for the CIOs consist of finding swift responses to business needs, maintaining a budget at the same level or lower, and defending the company from ransomware risks that are now taking center stage.
Balaji Rao: From an Indian context, the priorities in terms of digitalization – technology and its alignment with business will be the same as in 2022. However, we see increased adoption of cloud technologies. There is a push from the Board to boost cloud capabilities, questioning investments in physical data centres.
Additionally, as Marco mentioned, the CIO’s position has become more important, and they have a seat on the Board now. Business continuity has become a serious issue with cyber and ransomware attacks across large, medium, and small enterprises. It takes almost 20 odd days for a company to recover on a usual scale unless you're prepared. This is forcing the organizations, boards, and CIOs to relook at their security strategy.
You mentioned that cyber security has garnered importance since the pandemic, and the focus on the use of the cloud has increased. So, can we assume that these cyber attacks have happened because we did not prepare for this level of cloud use?
Balaji Rao: People are shifting to work from anywhere, and hence the level of security also sees a shift, opening Pandora's box. Remote working leads to several open points through which bad actors enter the organizations. The cloud does help provide layers of security and protect data to a certain extent. These multiple layers of security are provided by cloud vendors like Azure, OCI, or whoever you may choose as your hyperscale provider. It is not that ransomware was not a threat before the pandemic, but it has definitely seen an acceleration during the pandemic.
Marco Fanizzi: Recent security reports have showcased how security breaches are mostly generated by processes and people rather than just technology. In 20% - 50% of the cases, technology is responsible for security threats, but often it is the process as well as the people that act as the point for attackers to get in. Since the onset of the pandemic, companies have amped up their infrastructure for employees to continue business remotely but many risks continue to exist in this new model.
The latest Commvault- IDC study also highlighted that 20% of organizations were forced to pay a ransom amount between US$25,001 to US$50,000. The study further highlighted that the ransomware attacks generated today start when they enter your perimeter. About 37% of organizations stated that their sensitive or secret data was exfiltrated, while 53% of the respondents mentioned that ransom was paid, but 49% of organizations were still unable to access systems or data. These attackers stay in your perimeter for months so that they can understand what mechanisms are in place to protect your data. Compared to the past, this is a completely different approach to ransomware attacks, and therefore companies were not prepared for this change that occurred.Balaji Rao: Companies need to relook at and work on their strategies every two years. They cannot be operating with the strategy for five years, this is not sustainable. With the significant disruption in the space, companies need to change their strategies to align with the current market conditions. Today, many CIOs are working on new cyber security strategy and the Board is also invested in the new cyber strategy blueprints.
Recently, the AIIMS Delhi systems were hacked. The hackers attacked the system 1200-1400 times in 24 hours. How is it that with the same system in place, attackers were not able to hack into it before?
Balaji Rao: Cybersecurity is a complex field, with endpoint security now evolved and becoming more complex with malware threat analysis as they integrate with the SIEM and the SOAR. They also have a built-in firewall now.
When systems upgrade, they are meant to comply with the security protocols. If this is not followed, it opens loopholes that can be exploited by attackers. Even in well-run organizations, it is difficult to maintain these systems. For example, there may have been an upgrade that could have disabled the endpoint security for a brief time, which as a result may have let the attackers in. I used to be in a company where we did consistent cyber audits but when the software was not properly implemented on one of the remote desktops, it left a gate open for a possible attack.
Additionally, employees need to understand proper cyber hygiene along with the security risks associated with their actions and identify cyber-attacks they may encounter via email and the web.
Moving to my next question, there is a concept called Cyber deception, what is this? What I understand from here, is that this is something where you can't allow malicious activity from the outside in your database or your centre.
Balaji Rao: Cyber deception is a proactive security and defense tactic that hinges on deceiving bad actors and malicious attacks. It arms today’s businesses with early warning signals into ransomware attacks. Using sophisticated decoys, cyber deception solutions engage bad actors the moment an attack begins. This delivers a multi-layered defense against ongoing attacks, equipping businesses with capabilities to immediately divert and spot silent threats – before data is lost, damaged, or compromised.
Commvault expanded its Metallic portfolio and launched Metallic ThreatWise in 2022. It is a data security service delivering integrated cyber deception across our award-winning DMaaS portfolio, to proactively defend data and enhance recoverability, before encryption, leakage, exfiltration, or damage. Even the stealthiest zero-day attacks are detected and diverted despite their efforts to circumvent traditional detection tech and security controls.
Marco Fanizzi: With the acquisition of TrapX (an Israel-based cyber-security company), now called ThreatWise, the solution provides real-time alerts helping to gain quick visibility to a potential attack and protect the crown jewels of our customers. We have a solution called the Metallic Recovery Reserve that copies data outside of your data centre, creating an air gap solution to ensure data is safe and recoverable, and checking the data before copying it. If you have a solution that is based on Azure, you can have your copy on Azure. If something happens, you can recover your data by visiting with a snapshot.
Balaji Rao: There has been an encouraging response towards Threatwise so far and a hot topic for most companies. We launched it recently and already have quite a few existing and prospective customers looking at it.
How has the threat landscape evolved over the years? And what can be expected in 2023?
Balaji Rao: I think ransomware will only continue to rise with more sophistication. Additionally, we are seeing the threat landscape evolve into geopolitical situations as well. A recent study by Commvault-IDC revealed that close to 49% of Indian enterprises cited malicious attacks damaging their backup and data recovery. We will have to deal with this evolving landscape. Throwing more security products at it is not the solution because your data, your workloads, and your endpoints are all spread across the cloud, on-premises, and everywhere in between. What you need is unification and simplicity, with the ability to scale.
While we continue to strengthen security, we need to relook at our cyber resiliency framework. A cyber-resilient data recovery ensures a safe copy of the data in the cloud or data centre, where nobody can touch it. Today, we have a platform strong enough to restore crucial data in 3 hours, non-crucial data in 10 hours, and all the data in 3 days. It is better than being down for 20-25 days, which is common during a ransomware attack. This is exactly what the boards are looking for from their CIOs.
Marco Fanizzi: Moreover, AI will play an increasingly important role both for malicious purposes and to build more proactive and pre-emptive cybersecurity strategies. Organizations are not willing to buy products that do not comply with a strategic security approach. Data is the new oil, as it can be used to derive insights and thrive in a rapidly shifting marketplace. In this scenario, with no data recovery strategy in place, the consequences of ransomware or any malware attack can leave sensitive data exposed and lead to a costly, lengthy recovery. We will see ransomware flourish as 55% of organizations will migrate their data protection systems to a cloud-centric model by 2025.
It is imperative, now more than ever, for businesses to redesign their enterprise infrastructure strategies, align their policies, and address security concerns. A resilient cybersecurity framework will thus become a fundamental cornerstone of businesses in 2023, as organizations embrace the mantra of expecting the unexpected.
