Not long ago, the probability of a threat materializing was enough to open the IT pocketbook. Today, the mentality has shifted from one of risk prevention to one of risk marginalization. This mindset isn’t just held by the CEO, but rather the entire C-suite. As a result, organizations are beginning to shift portions of “operational risk accountability” to line-of-business leaders. This approach must also tie into Resiliency Operations planning.
This shift is understandable. Operational excellence, product development, and financial performance are the engine that powers any business. Accepting some level of risk is to accept that the realities of the modern enterprise have changed. Today, most business technology leaders understand that the questions isn’t “Will we be hit by a disruptive cyber incident?” but rather “Are we prepared if we are hit by a disruptive cyber incident?”
Executives and consumers recognize that breaches are no longer uncommon and seem to be focused on the reasonableness of how far a business goes to protect its critical data. The goal should be to protect the critical data, coupled with resiliency planning. Strategy in this area is critical. Otherwise, there will be an undesirable impact that can carry high costs and impede growth strategies, either through financial burden or making an organization less nimble.
The danger is in leaning so far into business growth strategies that resiliency planning is neglected, leaving the organization vulnerable to potentially crippling (or fatal) business disruptions. What’s more, even companies with a strong belief in resilience planning may be stuck in an old-fashioned mindset and neglecting to plan for the possibility of corporate data loss through the most vulnerable attack vector, end-user behaviors via laptops and desktops.
Resilience vs business growth strategies
The reasons to focus on business growth are many. An organization’s CEO wants to grow the business and do it faster. The CTO wants to get to market first, with technology that provides a competitive advantage. The CFO wants to quickly grow sustainable revenue and profitability. The sales team leader wants to win new customers quickly and deliver on revenue growth targets. For me and others in the Chief Security Officer role, we want to enable growth strategies – while simultaneously implementing mitigation strategies for the company.
Today, mitigating risks for the company means thinking beyond the data center and protecting the endpoint. Why? It’s the most common attack vector outside the corporate network and provides access to your intellectual property (IP). According to Deloitte, your IP can make up 80 percent of your company’s value.
Independent research has found that over 60 percent of your IP is created and available on laptops and desktops. That means potentially, half of a company’s value lives on employee laptops and desktops. If growth is a company’s main objective, then protecting the very ideas that fuel growth must be made a priority. IP created and stored by employees on endpoints is often at the heart of a business’ growth– contracts, customer lists, research, product roadmaps, etc.
The IP on your corporate endpoints is not only your most valuable, it is also the most vulnerable. Industry research says that as much as 70 percent of data loss incidents originate on the endpoint. According to a recent study, nearly two-thirds of business executives agree that IP loss can destroy a business. If you don’t have adequate protection for your endpoints, you’re putting the whole business at risk.
In order to justify IT spending, a risk must be measurable and pervasive – it must be painful enough to justify the opportunity cost of taking budget from growth strategies. Oftentimes, this means reacting to something that has already happened, such as suffering from a public data breach. With more IT budget now controlled by business function leaders, IT can’t afford to simply protect the status quo. IT investments must strategically help streamline the company’s growth initiatives, deliver operational excellence, and enable the business.
This shift isn’t necessarily a bad one. In fact, businesses are implementing new and promising risk strategies that put more risk management responsibilities on leaders of each business function. According to PricewaterhouseCoopers, more than two-thirds of businesses believe doing so will make their businesses more agile, and many who have already done so expect to see increased profit margin and business growth. But if not implemented correctly, poor risk tolerance strategies can lead to data not being fully backed up, productivity loss, inability to restore data reliably or efficiently, insider threats, cybersecurity vulnerabilities, and not fulfilling compliance requirements.
This can be devastating. Today, customers, both businesses and consumers, have a certain level of reasonable expectations. When companies fall short of these expectations, they are unforgiving. If your customers cannot depend on you, they will turn to your competitors – and they won’t wait. Every minute that your services are unavailable or struggling affects the bottom line.
Pick your battles
Accepting some degree of risk is necessary in order to achieve the nimbleness modern enterprises need to thrive. Businesses must pick their risk mitigation battles—and endpoint IP isn’t getting enough attention from IT leaders. Some have decided that cloud-based sync and share products are a “good enough” solution to prevent data loss. It’s true that sync and share can be used to recover data in the right circumstances, but these products lack the full feature set of a true endpoint recovery solution.
Best-in-class solutions will recover lost IP, disarm ransomware (which is easily spread via sync and share), migrate users across new devices, offer users self-service restores, perform legal holds, and detect inside threats – all for about the same cost as sync and share services. With a workforce that’s more mobile than ever, and more IP than ever before on your endpoints, enterprises must ask these three questions when building a resiliency program:
1. Are your resiliency operations plans meaningful and actionable?
2. Do you include endpoints as a critical attack vector in your cybersecurity strategy?
3. How dependable is your current endpoint IP protection and recovery?
True enterprise endpoint backup is built to cover all endpoint data—securing that IP and enabling fast, reliable recovery, no matter the data loss scenario. Some products lack the data security and administrative control features necessary to mitigate some attack vectors, such as the increasing risk of inside threats.
With the right endpoint backup solution, users are covered from ransomware and other crypto-viruses, device failures, and even their own errors – and with a fast-paced, growth-focused enterprise, errors will occur. But with the right tool and a solid plan, your users can recover in minutes without waiting for IT to help them.
Organizations are walking a fine line by sacrificing resilience for business growth strategies. The wrong programs and processes can leave a business unable to reliably and efficiently restore critical data in the event of a data loss incident. These inherent flaws go beyond burdening the enterprise, presenting an unacceptable threat to business continuity.
Take, once again, the sync and share example. Sync and share products are great for productivity – they give finance teams an online space for collaboration, provide sales with a clear destination for pitch sheets and battle cards, give marketing a home for all collateral pieces, and more. But sync and share products cannot address lost or stolen laptops, ransomware, inside or insider threats, device migration projects, and many more common data loss scenarios. They don’t scale for these use cases.
The right endpoint backup solution can address all of these scenarios and more. By protecting your endpoints with endpoint backup, risks to revenue are minimized, and you maintain complete control of all your IP. With endpoint backup, revenue generation never stops, your client list stays in house, and IT burdens are reduced. Some risks are worth taking in the name of growth. Protection of the IP on your endpoints is not one of them.