So here to tell us why we need data backup and how AI can help, please welcome my colleague Senior Analyst Mike Small. Thank you very much. Thank you everybody. So backup is boring.
You know, this is something that's been around for ever more and yet it's never more been needed. And the reason for that is that when I first came across backup, it was because computers and the systems that surrounded them were very unreliable. Now it's because we're under attack. You can see that the fact that we have digitalized our businesses, that we've digitalized our whole life and digitalized society, we've become extremely vulnerable to cyber attacks. The cyber threat actors are very well aware of that and they recognize how to monetize it.
To give you some of the examples that you can see on here, that in the beginning of this year, the hospitals in London had to cease giving chemotherapy and other kinds of treatment to very ill patients because an organization, not the NHS, an organization that was a supplier of blood testing was hit by a ransomware attack. Later in the year, there was the British Library that was hacked and that took several months to get itself back on to being operational.
So across the world, we are seeing an increasing number of cyber attacks and there are lots of sources that describe the kinds of attack you're getting or what you need to protect against. Now because of this and because of the fact that society has become so dependent upon digital infrastructure and digital systems, governments have taken notice. There was in the US, the US executive order around this and back in 2016, the European Union came up with what was then the Network Information Security Directive, which is now in the course of being revised.
One of the key revisions that is being made to this is to increase the scope, the number of organizations and the kinds of organizations that actually need to comply with this has extended from beyond infinite internet security providers, data center providers, to lots of businesses that are in fact critical parts of our everyday lives. One part that we all depend upon all the time is the financial services industry. If you didn't before the pandemic, now the majority of people don't use cash.
The majority of people depend upon banking and payments that are effectively using a card, a card reader and some kind of communication system. All of that is incredibly fragile when you look at it. All of these things are now subject to regulations. So in the EU, we have NIS2 and also DORA, which is this Digital Operational Resilience Act, which is a specific version of NIS2 for the financial services industry. Now both of those regulations specifically mention the need for things like backup as part of your data resiliency planning.
It is really good that many organizations have put lots of money into prevention, but what many have forgotten is to put money into how you can recover and restore. And so it isn't just an optional extra, the need for backup and incident response is specifically mentioned in NIS2 and in the regulatory technical standards that go around DORA. So how does business manage in reality? Well actually, survey after survey tells the same story.
And this is a survey run by the UK National Cyber Security Centre and it runs it every year and what you find from this is that while organizations have put a lot of money and time and effort into some of the preventative measures, very less numbers have actually invested in proper disaster recovery planning and in things like being able to be sure that you can restore data afterwards. Now this is particularly important because another study by IBM showed that when an incident had occurred, the majority of organizations then subsequently increased investment in resilience and recovery planning.
So there is evidently a mismatch between the way in which people believe that they are able to recover and the reality. Now I have come across organizations and I ask a question, have you got a disaster recovery plan?
Yes, check. Have you tested it?
Yes, check. Did it work? No.
No, it was a failure. And what did you do about it? We said we'd rectify it next time. So the problem is that planning for recovery is something that you need to focus on and you need to get people to practice it because when the proverbial hits the fan, it's too late and everybody's in too much of a panic mode to know what they're supposed to do.
So basically what the message is from this is that you need to be prepared and being prepared means that you must invest in the technologies, the processes and the people that you need to respond to an incident as well as to prevent them from occurring. Because in today's environment, it's 100% certain that you will be subject to one of these incidents, not a question of if. And that involves a lot of preparation. It involves having the right people. It involves having a team. It involves having the data that you need and having a plan for communication.
And the process that is involved in recovery is complex and you can see here the steps that are involved. But one of the critical parts of that is having the data to recover because if your business data has been encrypted by ransomware, how do you get your systems and your business systems back if you don't have a good copy? Now all that sounds very good but it's actually more complicated than that because there was a time when simply if you could recover your business data, you were good to go. But in fact, in the modern environment of IT, everything depends upon data.
The environment is in fact virtual. You no longer have a trusted little computer sitting under your desk or in your data center. What you have is you have a physical network with physical servers that are shared through virtualization and that virtualization is defined by data. So in a typical modern app, you have hundreds of containers, each of which are communicating through a software-defined network and as well as those containers in that network, you have things like load balancers and other forms of web servers and things like this.
Now all of that is constantly changing because we're in a DevOps rapid development world and so any day there's probably dozens of changes being made to that. So it's not sufficient just to capture the content of a database. If you want to restore your modern container-based application running in the cloud, you actually need to have a snapshot of all of that. So the snapshot of your server is maybe part of it, but it's not the complete story. If you don't have that data and you can't get it back, then you don't have a business basically.
All of this has got another layer on it, which is called machine learning. Now machine learning introduces machine learning and Gen AI introduce some new challenges and some new opportunities. The opportunities are that they are technologies that potentially can help to detect abnormal activities and fraudulent things going on, but they also involve data and it's really important that that data is in fact properly preserved and properly brought back. Much of that data is in the exotic databases that in fact are not normally covered by the things that you would normally back up.
You have to remember that it isn't sufficient to say that you've got it in the cloud. So in order to be able to recover, you need to be able to bring back the data that defines not only your business activities, but also the complete network environment that your applications depend upon and that is actually not an easy process.
When you have brought that back, and incidentally I have come across occasions where when people have tried to bring back a multi-container based environment, it has taken weeks and if not hours to do that if they didn't have the right kind of snapshot, that only then can you start to rebuild and rerun the applications that your business depends upon and that means restoring the service.
Just to remind you now that in this new world, what you've probably rebuilt is all of the applications, all of the software defined network between them, all of the other services like the load balancers and so on.
In addition to that, you may now have to be bringing on board some AI related things and just to give you an idea, each of these applications is probably individual and each of them will have their own requirements and Gen AI is going to make this more difficult because IBM think that in the next five years there's going to be a billion more apps because people are going to use Gen AI in order to help them to develop the apps. So having explained that to you, how do you choose a backup in today's complex world?
So to help you to do this, we have written a report which is on cloud backup and disaster resilience and takes into account what you need to deal with AI based applications as well as to exploit AI technologies. So our leadership compasses cover all of these different things, which is product leadership, innovation leadership, market leadership and overall leadership.
In our research for this, we covered these particular areas, which include things ranging from how you protect against ransomware because the bad guys have recognised you might have a backup and they are going to try and attack it and attack the backup processes as well as the backed up data. Right through, do they support you in the processes for recovering from disasters? Do they make it easy for you to bring back a coordinated set of services? Right through to how do you deal with things like software as a service?
In terms of the vendors that we've covered, there is this list which you will recognise most of the major vendors as well as some of the smaller ones that actually have sort of interesting niche or boutique type products that are relevant for small to medium sized businesses.
Here is the kind of chart that you would find in this, which illustrates the vendors that we think are the leaders in that field and this is the overall leadership with ones that are challenges and the ones that are overall leaders have good financial strength, they have a good product, they have a good record of innovation and they have a big user base that allows you to be sure that it's going to work for you.
Now not every business has the same requirements and so to help with that we provide a set of radar charts that show the particular strengths related to any given vendor which allows you to match your specific requirements to that vendor's particular capabilities.
So basically the message from this is if you want cyber resilience you are going to have to back up or else you're going to have to face the problems that that leaves you with and so in summary the story is that digitalization has brought many benefits but it also makes you much more dependent upon the digital infrastructure and so what you need for cyber resilience is to increase that in order for your business to be able to continue in this digitalized stage and that actually really means data resilience because all of your computer systems are now basically data that defines how you're using some kind of shared physical infrastructure and so the solutions that you can see here or the points I've talked about is that the more complex the modern environment is the harder it is to be able to recover.
So back up or else. Thank you very much. That was a very clear message Mike. I just wonder are there any questions in the room? I ought to start by saying especially for the people who are joining online please put your questions into the app if you have but obviously if you're in the room it's much easier if you just kind of raise your hand and belt out your question. Do you have a quick question for Mike? He's got like a couple of minutes or a minute left. No quick questions in the room?
In the absence of a question in the room Mike I just wanted to ask you know with PCI DSS we often saw organizations were breached even though they were compliant so to what extent can people rely on this and DORA or are there best practices beyond those that they need to focus on? Well regulation is always behind the game and that there are a whole series of best practices and standards and these are well documented and indeed the next speaker comes from one of the organizations that in fact creates and maintains these kinds of standards.
So I think the best thing is to follow the best standards if it's a bit like the Ten Commandments if you follow the Ten Commandments then you're going to be good to go and those are better than trying to follow all the laws that never quite keep up with them. All right sage advice from someone who's really experienced in this industry Mike Small thank you.
