As organizations increasingly rely on SaaS solutions for business-critical applications, it’s becoming apparent that even the big providers eventually suffer outages. Recently, Microsoft customers suffered problems with Teams and Exchange Online. That follows an outage by Atlassian a couple months earlier. These SaaS apps are so ingrained in daily operations that they often contain the institutional knowledge critical to run the business. If you’ve ever experienced lack of access to files, messages, and other critical data, you probably are looking for a backup solution to ensure your business can keep running no matter what happens.

When evaluating a cloud backup provider, you’ll likely need to make a business case for the investment. Perhaps the solution’s features such as automated backup, high security, and an intuitive user experience look impressive, but how about the important question?

What’s the ROI? Can you provide a compelling business case to convince the stakeholders and leadership in your organization?

To understand the financial impact of backup and recovery solutions, let’s first evaluate the different costs involved.

What could be the financial impact of not backing up your cloud data?

1. Impacts of Cyberattacks

A study conducted by IT research firm ESG states that 79% of organizations had a ransomware attack within the past year. A devastating ransomware attack could leave employees unable to use core business applications for days, weeks, and even months at a time.

According to Forrester, a successful ransomware attack resulting in disruption to operations for an organization with 5,000 employees for five days would cost more than US$5 million. The same ESG study found that only 50% of the organizations were able to recover all their data in a clean and recent state.

According to Verizon’s Data Breach Investigations, large data breaches (with 100 million records or more) cost, an average of $5 million to $15.6 million and can top out at $200 million.

2. Accidental Deletions

According to ESG’s Tech Validation Report, accidental deletions result in data loss approximately 20% of the time. Verizon reports that 85% of breaches involve a human element. A single document sometimes is worth hundreds of dollars. A properly implemented cloud backup solution allows employees to restore critical data quickly and reliably, indirectly saving millions of dollars for the business.

3. SaaS Licensing Fees

Companies often must keep ex-employee user accounts active after their exit date to access user data which would otherwise be purged by the SaaS vendor. It is common for approximately 10% of employees to leave every year. This number can be much higher if organizations use a lot of temporary staff or contractors. The license fees to keep departed users active can be saved by using a cloud backup provider that retains your data for as long as you’re a customer.

4. Archiving Costs

Are you investing in data archiving repositories? Typically, organizations depend on separate archiving tools to help move inactive data into long-term storage systems. This helps optimize resources in the active system to help users quickly access data. By having a cloud backup provider – especially with unlimited storage & retention as Keepit offers – you can avoid investing in a separate archiving tool.

5. IT Administration Efficiencies

IT administrators typically spend a lot of time off-boarding employees and searching for documents that have been either intentionally or unintentionally deleted. If the time for off-boarding is reduced from an hour to a minute thanks to a backup solution, the net benefit would be thousands of dollars per year. Likewise, searching for hours to find deleted files is time-consuming and costly but with the right backup solution, IT admins can quickly search and find files in minutes.

A solid return on a critical investment

Keepit commissioned Forrester Consulting to conduct a total economic impact (TEI) study to evaluate the potential economic impact for businesses that utilize the company’s data protection services.

Based on interviews with five Keepit customers across a range of industries, Forrester generated a composite organization from which it produced a financial model that outlined three-year, risk-adjusted potential savings from utilizing Keepit. The TEI includes two categories of savings, quantifiable and unquantifiable. Forrester determined that in addition to unquantifiable savings like recovery from a ransomware attack, Keepit offers a 78% return on investment (ROI) and a net present value (NPV) of $225K. To see how a dedicated backup solution can pay for itself in just six months, download the full Forrester TEI study.

The frequency of ransomware attacks is increasing along with the costs to businesses. Having a plan to respond in the event of a ransomware attack is more important than ever. 

IT research firm ESG conducted a ransomware study surveying 600 enterprise IT and cybersecurity professionals across North America and Western Europe. Here’s what they found: 

• 79% of the organizations had a ransomware attack within the past year 
• Every sixth company gets attacked by a ransomware weekly 
• Every eighth company gets attacked by ransomware daily 

What’s the impact of a ransomware attack? 

When an organization suffers a ransomware attack, there are many negative consequences beyond the financial losses. According to the ESG study, victims of ransomware attacks suffered the following: 

• 40% of the organizations reported a financial loss 
• 50% reported data loss  
• 32% reported reputational damage 
• 39% reported a direct impact on employees, customers, and partners 
• 30% reported compliance exposure 

As an IT Manager or a cybersecurity leader, can you bear these consequences in the organization?  

What’s the best ransomware recovery strategy?

 

Given the high frequency of these attacks, you need a recovery strategy to mitigate damage to your organization. A successful recovery strategy can help you recover data quickly to minimize the impact on operations. 

ESG research recommends cloud backup as the best practice for cyber recovery. The survey also found that the best-prepared organizations are the ones that have a cloud backup solution. 

How Keepit can play a role in your ransomware recovery strategy

If your organization is ready to get serious about protecting SaaS data and is looking for a solution, ESG recommends that you take a good look at Keepit.

Kerry Dolan, Senior IT Validation Analyst, ESG

Keepit offers an extremely simple, secure SaaS data protection solution that uses a proprietary object store to keep data protected and tamper-proof in its independent, redundant global data centers. With automatic snapshots, no backup scheduling is required, and retention is easy to configure and manage according to your compliance requirements.

Each daily snapshot is permanently preserved so that victims of ransomware can simply roll back to a point in time before the attack and restore their data in place.

Bottom Line

With the high frequency of ransomware attacks, IT leaders should focus on protecting their organization’s mission-critical data and digital assets by preparing and practicing to recover it quickly and completely. ESG recommends cloud backup as the best practice for cyber recovery. Keepit helps you in the cloud backup strategy with a backup that is simple, secure, and fast.   

Keepit backup is: 

Cloud independent – With Keepit, data is stored in a vendor-neutral cloud instead of public platforms like AWS, making Keepit a true third-party backup. 

Immutable – preserves your data permanently, even for data types that the source SaaS applications do not protect. 

Innovative storage architecture – allows super-fast data restores and inspection while giving you predictable restore performance and a fixed storage cost. 

To learn more about how Keepit secures data, read our security guide. 

Many companies assume that if they pay for a backup security infrastructure, their business-critical data will be stored and secured on a separate cloud – but this is often not the case.  

Instead, most alternative cloud backup solutions store your backed-up data on the same public cloud infrastructure that hosts your primary data, which potentially exposes your company to several different risks. 

In their Cloud Computing study published in 2020, Foundry reported the top challenges associated with public clouds to be: 

• Lack of cloud security skills or expertise (30%) 
• Compliance and governance (30%) 
• Security challenge and data privacy issues (38%) 
• Controlling cloud costs (40%) 

By choosing to store your backup data in the public cloud, all of your data (including your only backup copy) is being managed under the same administrative infrastructure. And this is still the case if you choose a different data center for your backup that is separate from your primary data. 

The solution: A ‘true backup’ cloud independent of the public cloud

We believe that offering “true backup” means we can guarantee that your company’s backup data is not stored in the same logical infrastructure as your primary data – regardless of the SaaS application or workload needing protection. 

With Keepit, your company’s backup data is stored on an independent cloud infrastructure in two mirrored data centers in the data center region of your choice, ensuring data availability and sovereignty. 

Keepit is the only dedicated SaaS data protection cloud to date – running on autonomous regional data centers, operating on separate hardware, and managed by trusted employees independent of any public cloud.  

The benefits of building your own private backup cloud 

Having a dedicated private cloud is a fundamental requirement for any legitimate backup solution. Choosing Keepit as your reliable, vendor-neutral backup solution compared to other third-party providers comes with considerable benefits for customers:  

• Pandemic-proof: When the COVID-19 virus spread worldwide, the leading public cloud vendors could not handle customer workloads and pushed customers offline. Meanwhile, Keepit’s dedicated private cloud service continued business as usual. 
• Accessible 24/7: With a dedicated backup cloud, you never lose access to your company’s information or worry about duplication or compressed data. 
• Speedy: With Keepit, the licensing model is uncomplicated, allowing you to get up and running in no time. There are no API transaction fees, network fees, or storage consumption fees. Our intuitive and easy-to-use search tools make sure you can locate, preview, and restore data in seconds. 
• Cost effective:  The higher degree of control Keepit has over the supply chain means considerable cost-saving benefits and easily scalable options. As a Keepit customer, you don’t need to worry about storage consumption fees or hidden costs. Storage is included, and you can expect predictable and straightforward pricing. 
• Constantly evolving: Unlike other third-party security and backup providers, we retain the freedom to innovate and develop our cloud storage technology behind the scenes—something that would not be possible if we were using a public cloud.  

The final word: Keep your digital eggs in separate baskets 

In the realm of backup, “divide” and “separate” are positive terms, and adhering to the 3-2-1 principle is the most effective way to safeguard your data by having it stored separately from your day-to-day operations. 

The 3-2-1 principle of backup mandates that you must have one copy of your data off site. In the days of tape backup, where fire and theft were the only credible threats to your backup data, the off-site copy effectively ensured that your backup data would survive any calamity that could befall your primary data and your primary site.  

In the cloud age, however, backups have become much more complicated: geographic dispersal is insufficient to ensure your data is secure, and hidden risks are introduced by relying on clouds that may be taken offline to protect the providers’ primary business interests. 

You can read more about that in our Security Guide: Raising the Bar for Data Protection in the Cloud Era. 

Working in the security industry we are regularly in conversations about how BYOK (Bring Your Own Key) can help solve security concerns around data confidentiality, compliance, protection from espionage, and much more.

However, it is most often the case that BYOK does not and cannot solve the problems that people are led or misled to believe it does.

This post is an attempt to address some of these misunderstandings.

First, we need to establish the vocabulary; BYOK is short for Bring Your Own Key, which means the customer provides a data encryption key to the service provider, and the service provider then holds and uses this key for some security function in relation to providing service to the customer.

Already here now that we talk about it, it should be clear that there are a great many problems this scheme does not solve, as the service provider holds a copy of the key.

Another key acronym in security is MFA, or Multi-Factor Authentication. MFA requires that the customer does not just log in using a username and password, but that at least one more factor is provided, which could be a time-based code the user can read from a device only the user possesses. In a sense, this is unrelated to BYOK, but as we shall see, MFA is often the actual working solution to problems believed to be addressed by BYOK.

With that out of the way, let’s look at a few common myths of what BYOK brings to the table then go through why this is not actually the case:

Myth #1: BYOK protects my data in case my account gets compromised.

That would be lovely, but this is not the case at all. First of all, the data encryption key is online all the time. This is a necessary condition for the service to be available and online because what good would your cloud service be if data wasn’t accessible? So, your key is online and now your account gets compromised. An attacker successfully poses as you, so naturally, all data is available to the attacker just as it would be to you, BYOK or not.

Myth #2: In case of compromise, revoking my key renders data unreadable.

This is wishful thinking, unfortunately, and for reasons, you may not expect. As is the case on commonly available BYOK platforms (AWS to name one) the key you bring is not even used for the actual data encryption! Since the service provider cannot trust that a customer can competently generate a strong key, the service provider will use their own key for the actual data encryption.

This key though may then be encrypted with another key, and then finally this package can be encrypted with the actual customer-supplied key. What this means is that the customer has some degree of control over one of the keys used in the encryption of a ‘key package’ which may be used in concert with the encrypted data during a bulk transfer between regions for example. But this is a very niche use. In day-to-day operations, on the most well-established BYOK-enabled platforms in the world today, the customer-supplied key plays NO role in data encryption of the customer data.

The customer can lose the key, revoke the key, modify the key, get the key stolen, have the key tampered with, or all of the above, leaving the day-to-day operations of the service absolutely and completely unaffected because the customer-supplied key plays no role in day-to-day operations. This is not a ‘dirty secret’ in any way; this is well documented in publicly available descriptions of these systems.

The only realistic protection against account compromise is MFA. You can only do so much to make it more difficult for an attacker to compromise your account. That’s why you need to realize that when your account is compromised, someone can actually pose as you, and do what you can do. Cryptography cannot help you at this point.

Myth #3: If the service provider is compromised, I can revoke the key.

By now we know your key isn’t used for actual data encryption. But for argument’s sake, let’s play along and pretend it actually is (but it really isn’t). This means the service provider is encrypting data using the customer-supplied key to which they hold a copy, otherwise, they couldn’t use it.

Now, what happens if the service provider is compromised? Let’s say that either an attacker gains full control of the service provider platform or the government under which the provider operates seizes their systems. Well, the key is being used by the service provider for data encryption and decryption, so obviously the key is available there in one form or another. In other words; what the customer does with their copy of the key has no bearing on the copy that is available and in the hands of the service provider or whomever now controls their platform.

Realistic protections here are along the lines of choosing the region in which the service is provided carefully and ensuring the service provider implements a mature information security management system.

As was said famously by renowned cryptographer Bruce Schneier, ‘If you believe cryptography solves your problem, then either you do not understand your problem or you do not understand cryptography.”

There is a lot of truth in this statement. It does not mean that cryptography does not play an important role in solving security challenges, but it does underline that simple encryption in isolation does not solve the challenges we are facing.

BYOK is no silver bullet. In fact, it is very often not even helpful. Further, if the employment of BYOK delays initiatives to seriously implement MFA or other effective security mechanisms, then BYOK may be outright harmful to the overall security posture of your organization.

I hope this short write-up helps bring clarity to an area of information security that is too often not discussed in detail or even widely understood.

The very mention of data governance and compliance can send shivers down the spines of corporate IT professionals, particularly for those who recognize they aren’t ready to handle a major data breach or other situation that compromises mission-critical data.

The increased focus on data compliance creates even more headaches as state and federal regulations are constantly changing, adding more pressure to comply as a means to avoid a regulatory audit and the unpredictability of a public relations nightmare.

So, why is regulatory compliance so important?

The answers can vary from company to company but protecting mission-critical data is not only necessary for business continuity, failure to comply can lead to financial and legal exposure such as lawsuits, fines, settlements, certification losses, and data breaches. Some estimates say compliance failures cost businesses nearly $1.5 billion annually and growing.

If you believe data compliance won’t adversely affect your company, look at these real-world examples of what can happen:

• Target Corporation agreed to an $18.5 million settlement with 47 states for its 2013 holiday data breach where cybercriminals stole $40 million in credit and debit records.
• Uber’s sub-par handling of its 2016 data breach that impacted 57 million rider and driver accounts cost the company almost $150 million.
• Equifax lost over $575 million in 2017 when it failed to fix a critical vulnerability that compromised the financial and personal information of over 150 million individuals.
• Marriott International received a $124 million fine from the General Data Protection Agency in 2018 when a cyber incident dating back to 2014 containing over 338 million guest records came to light.

The Solution? Deploy a Third-Party Cloud Backup Service

For companies committed to minimizing or avoiding these risks, it pays to be nimble and prepared particularly since data backup and recovery are so inextricably linked to compliance. Think, for example, how difficult it would be to pass an audit with missing data. 

So, who is ultimately responsible for data backup and recovery? If you believe it’s your cloud service provider, think again.  You may be surprised to learn that most SaaS vendors don’t automatically back up data for long periods and lack critical, built-in security measures to protect data. While they may be able to back up some of your data during a breach incident, most lack the ability to quickly and easily recover your data and make it immediately accessible. 

That’s why third-party backup and recovery services like Keepit are your best bet to ensure business continuity, stay in compliance, and keep costs predictable. 

Part of what makes Keepit’s backup and recovery solution so effective is how we deploy blockchain technology, which makes it possible to achieve data immutability to meet increasing compliance standards without having costs skyrocket. 

Blockchain has gained market familiarity and acceptance in the cryptocurrency industry like Bitcoin and Ethereum because its hashing technology helps improve transparency and data security around distributed transactions.  

One of blockchain’s drawbacks with cryptocurrency, however, is authentication, which is slow and resource demanding. Keepit’s solution, on the other hand, features all the benefits of blockchain technology but is fast and doesn’t consume expensive resources. This, in turn, makes achieving compliance much easier and more convenient. 

How to Increase Your Focus on Compliance
So, what’s the fastest and most cost-effective third-party data protection your company can deploy? Enter the Keepit cloud. 

Because it is built on secure, blockchain-verified technology, Keepit ensures data remains immutable and tamperproof – always.  This is important for compliance because with immutable data and metadata, it’s possible to document and recover not just all data but all data processing, further ensuring that auditors have full visibility to everything that has impacted the data. 

Learn more about how Keepit can help your company quickly recover from any data loss event – even ransomware attacks – to keep your company’s data always secure, always available, and always compliant with the latest regulations.
Keepit is a dedicated backup and recovery service providing your company with secure cloud data backup for the core SaaS applications, including Microsoft 365, Salesforce, and Google Workspace.