Three-quarters (75%) of organizations suffered at least one ransomware attack last year, according to Veeam’s Data Protection Trends Report 2024.
The researchers showed that more organizations got hit four or more times in 2023 (26%) than those who said they didn’t experience any ransomware attacks.
Speaking during a virtual pre-briefing, Jason Buffington, VP, Market Strategy at Veeam commented: “Statistically ransomware is a when and not an if and it will be worse than you think.”
He added that of the 25% of respondents who do not believe they were hit by ransomware last year, some could already be subjected to an attack – they just aren’t aware of it yet.
“We know from other research that in many cases the bad actor that has permeated your environment has been lurking around your systems for up to 200 days before they cause damage or ask for a ransom,” Buffington said.
Cyber-Attacks the Most Common Cause of Outages
Cyber-attacks were the cause of technology outages for 40% of the organizations surveyed. Meanwhile, 18% of those asked said cyber-attacked caused the most damaging outages.
The Veeam report surveyed 1200 IT leaders and data protection implementers.
Dave Russell, VP, Enterprise Strategy at Veeam, noted that unlike other causes of network outages, such as public cloud issues, accidental deletion and natural disasters, cyber-attacks are deliberate, designed to cause huge damage to all or most of your environment.
However, Buffington emphasized that the research demonstrated that cyber is far from being the only technology risk organizations have to prepare for.
“If you’re focusing all of your technologies and methodologies around cyber, how are you covering when the storage dies, when accidental deletion happens, when fire happens?” asked Buffington.
“Ransomware is a disaster but it’s not the only disaster you need to be mindful of,” he added.
Growing Investment in Backups and Data Protection
The report found that there is a big focus among IT leaders on enhancing their backup capabilities, with 54% anticipating changing their primary solution in 2024.
The leading drivers for making this change are to improve the reliability/success of backups (36%), enhancing detection/remediation capabilities for cyber or ransomware (31%), and diversifying and using different data protection tools for different workloads (30%).
Data protection budgets are also expected to increase by 6.6% in 2024 compared to 2023, which the report noted exceeds the expectations of major industry analyst firms.
More than nine in 10 (92%) organizations said they intended to increase their data protection budgets for 2024, up from 85% in 2023.
There is no evidence to suggest that organizations are viewing backups as the primary solution to ransomware, and disinvesting in cybersecurity prevention measures as a result, Russell told Infosecurity Magazine.
However, Buffington acknowledged there is a danger that some backup vendors may present themselves as a cybersecurity company, potentially giving business leaders the impression that their solutions provide a full defense against ransomware.
“We’re the last line of defense, we’re not prevention – to get there in some way of your prevention technologies will have failed,” he said.
Businesses Must Focus on Retaining Data Protection Staff
Another significant finding from Veeam’s report was that nearly half (47%) of IT leaders and data protection professionals intend to seek a new job outside of their current organization in the next 12 months.
Just one in three (33%) said they intend to stay in their current role/organization, with one in five (19%) undecided.
The top five concerns respondents had about their role highlighted that organizations are likely to have significant retention challenges for their data protection staff in 2024:
- Lack of new skills or learning opportunities
- Inability to influence strategic direction
- Ramifications of a cyber-attack or other disaster
- Lack of career development/progression
- Lack of management support
“It is incumbent on senior leadership to retain their existing data protection talent, to ensure their preparedness for cyber resiliency and other disaster preparation. Losing those experts puts the organization at a significant disadvantage when crises inevitably strike,” the report read.