By Alex Smith |
Whether it’s a fire, data corruption or the disruption of vital platforms, disaster can strike an organisation at any time, causing potentially catastrophic losses of critical information. While cost and the demands for greater availability has ended the days of taking tapes to a recovery centre to provide resiliency, the rise of ‘highly available’ systems which replicate data from one centre to another has exposed organisations to new, unforeseen threats.
“This setup essentially provides only one copy of the data,” explains Duncan Bradley, director, and UK and Ireland security and resiliency practice leader, at Kyndryl UK. “Even with multiple replicated copies, it is still just the same data being replicated. In 2017, the NotPetya attack demonstrated how malware could infiltrate an organisation. While this attack corrupted the operating systems, it would have been far worse if it had corrupted organisations’ actual data, as this corrupted data would then replicate to its secondary data centre, or even to platforms like Microsoft Azure, meaning the information is effectively lost or not available without paying ransoms or for lengthy forensic recovery. This highlights the critical need for organisations to be able to restore data from cyberattack-tolerant backups.”
Bradley suggests organisations should consider enhancing their business continuity plans to take account of threats to these highly available platforms such as Microsoft 365 (M365) and Microsoft Azure, especially if their business is covered by new regulations such as DORA.
“M365, for example, is an excellent platform, designed with flexibility so you can adopt its features as needed,” says Bradley. “However, the responsibility for protecting your data lies with you, not Microsoft. While M365 provides a recycle bin to recover deleted data, it would not be effective in the event of a mass deletion or corruption attack. Regulated customers, or those with critical business processes in M365, should definitely plan for potential outages caused by cyberattacks and consider how they would recover in such scenarios. This is where Kyndryl and Microsoft can collaborate effectively to advise on the desired outcomes in case of risks such as a cyberattack within M365.”
Kyndryl advises that when assessing their business continuity plans, organisations should consider more scenarios they would need to protect themselves from, including ransomware data attacks, develop their strategies accordingly.
“Most national or regional regulations emphasise planning for three main scenarios,” says Bradley. “The first involves traditional disasters, like a flood affecting a Microsoft data centre. The second scenario revolves around stored data becoming corrupted. Finally, the third scenario is related to the failure of a critical third party, such as the collapse of a network provider.”
Many organisations also do not know how long it would take to recover, or the interdependencies between all the data and platforms associated with an important business service, which introduces critical uncertainty into their planning. To avoid this, Kyndryl leverages its expertise and works with its customers to assess the recover point objective – the maximum amount of time before data loss exceeds an acceptable threshold – for their cloud-based workloads.
“The first step, which can also be a fun and team-building event for the customer, is to conduct a cyber simulation,” says Bradley. “The scenario could involve, for example, experiencing both a denial-of-service attack and a ransomware attack at the same time. Everyone then comes together in mission control to plan and execute a recovery. Based on the size of the enterprise, whether it serves 10,000 or 100,000 customers, we can then simulate how long that recovery could take, and whether it meets their business impact tolerances or recovery point objectives.”
“Depending on the storage types being used, we utilise our advanced Mass Restore Modeling tools to calculate how long the process would take to recover,” says Bradley. “With this simulation as a use case, we can assess recovery timelines for critical business services, such as an order or dispatch solution. In some instances, recovery might only take 18 hours, while in others, it could take eight days or longer. This exercise also helps us collaborate with the business to determine what an ideal recovery process would look like.”
Ultimately, a well-prepared and tested business continuity plan can be the difference between a minor data loss and a public relations disaster. Understanding the real business impact can save millions.
“Recovering a business process within two hours while losing only 10 minutes of data might cost $10 million,” says Bradley. “However, if the business can tolerate a 24-hour recovery timeline with a 24-hour data loss, the cost might be as little as $100,000. It ultimately becomes a business decision. Should you accept some level of risk and potential loss or should you invest heavily to minimise it? It’s important for business leaders to make that informed decision, knowing that in six months’ time, bad actors may develop a new attack vector that renders that investment less effective.”
Discover more insights like this in the Spring 2025 issue of Technology Record. Don’t miss out – subscribe for free today and get future issues delivered straight to your inbox.