Data security is aspirational, but it is data protection that can finally save the day for organizations, says Nikhil Korgaonkar, Regional Director, Arcserve India & SAARC in an interaction with CIO AXIS.
CIO AXIS: How is the Data Protection scenario in India?
Nikhil Korgaonkar: There are many ways of looking at this question. From the government’s point of view, the data protection scenario is very active, with the Joint Parliamentary Committee (JPC) responsible for reviewing the proposed Personal Data Protection Bill (PDPB) 2019 adopting its report. The JPC is now expected to present this report with PDPB 2019 in the parliament’s Winter 2021 session.
From the perspective of organizations, data protection is gaining precedence, not just from the aspect of consumers’ data privacy but also from the business continuity angle. Downtime for any business can be highly painful.
Today, organizations in India are well aware of the consequences of downtime if their data servers are affected due to a cyberattack or network failure or due to some other technical reason. While they are taking ample precautions to protect their networks, it is not enough. The challenge arises when a disconnect is found between the organization’s cybersecurity and data protection strategies, which most often than not, are found to function in silos with separate budgets, solutions, and processes. A 2021 survey report by Acronis stated that around 70% of Indian organization uses as many as ten solutions simultaneously for data protection and cybersecurity, while 30% run more than that. Despite that, 57% of them suffered unexpected downtime due to data loss in the last year.
What organizations require is a comprehensive, unified data protection strategy that can ensure perimeter security for both systems and data, and also take care of Disaster Recovery and Business Continuity (DRBC). Such a strategy will not only ascertain end-to-end encryption, but organizations will also have a first and last line of defense against cyber threats and data loss.
CIO AXIS. The terms data security and data protection are often used interchangeably. How do you think both differ and why is it important for the industry to understand the nuances?
Nikhil Korgaonkar: You are right. These terms are often used interchangeably and it’s important to understand their finer nuances. Both data protection and data security play pivotal roles in keeping data safe, but they each have their own goals and characteristics.
Data protection refers to the mechanism of making copies of data to restore in the event of a disaster or data corruption. Data security, on the other hand, refers to keeping data safe from unauthorized access and distribution. Unauthorized access to data can result in compromised data, corruption, or deletion. Should the data security strategy fail, data protection facilitates recovery of clean data copies.
Let us take an example: whenever a ransomware attack takes place, malware renders data unreadable by encrypting files. Basically, attackers control data access unless the demanded ransom is paid by the user or organization. If payment is not received, ransomware attackers will allegedly delete or corrupt the files rendering them obsolete. This is a major data security crisis. Such an attack is possible if systems lack sufficient security to deny unauthorized access.
However, if those same files that were encrypted or compromised by ransomware are adequately protected with backup snapshots stored remotely, those clean copies can be recovered from the remote backup server. This is basically what data protection is all about.
Considering that organizations cannot evade cyberattack, storing backups or snapshots in remote locations adds an extra layer of security to the data copies.
Data security makes sure that network is protected and unauthorized access is blocked so that ransomware can’t have access to data. Data protection goes an extra mile in anticipating and assessing all possible outcomes, and ensures that in case there is a data security failure, data still stays untouched, and organizations don’t have to pay hefty ransom to attackers.
Bottomline being, data security is aspirational, but it is data protection that can finally save the day for organizations. We at Arcserve are primarily in the data protection part of the game.
CIO AXIS: Why is a Business Continuity Plan (BCP) important for data-intensive industries like banking and telecom? What are the key points of a Business Continuity Plan?
Nikhil Korgaonkar: Organizations in data-intensive and regulated sectors such as BFSI and telecom are subject to strict business continuity obligations as they come under essential services. For a long time, banking and telecom industries had planned business continuity scenarios for limited outages only such as for Internet leased lines (ILL) and multi-protocol label switching (MPLS) connectivity. The pandemic changed the game plan as we saw endless attempts to sabotage essential service networks by cyber criminals over the last two years.
Overnight, organizations had to adopt more extensive pandemic-inspired BCPs with requisite risk mitigation protocols for keeping networks working.
As per the Reserve Bank of India (RBI), BCP forms a part of an organization’s overall Business Continuity Management (BCM) plan, and reflects the “preparedness of an organization”, to minimize operational, financial, legal, reputational and other material consequences arising from a disaster.
BCP procedures must be reasonably designed so that organizations can meet their existing obligations to customers. The organization must disclose to its customers how its BCP addresses the possibility of a significant business disruption and how it plans to respond to events of varying scope. A BCP disclosure must be made in writing to customers when they open their account. This disclosure should be posted on the organization’s website if they maintain one and mailed to customers upon request.
CIO AXIS: How big will the data protection industry be in the coming year?
Nikhil Korgaonkar: Today, digital transformation has become necessary for organizations to ensure business continuity in times of disasters. Data is a vital part of it, especially for those where daily transactions run on data availability such as in banking, telecom, insurance, etc. Other businesses require data for forecasting, making business decisions, automating processes and more.
It is therefore only natural that organizations would like to ensure their data is protected and available at all times. As per the B2B research agency Markets & Markets report, data protection market is projected to reach USD 119.95 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 16%.
Also, data protection and data privacy regulations are getting stricter all over the world. It is just a matter of time before governments and regulatory bodies bring in stringent data protection policies everywhere. India is already heading toward it with the PDP Bill 2019. Organizations cannot do business with the EU, USA, UK, Singapore and other developed countries unless they can show they have a proper data protection policy in place. The market for data protection will therefore continue to grow. Organizations of all types and sizes will have to take serious steps to ensure their data is protected and business continuity is not affected by any crisis.