The ‘Set It and Forget It’ Era Is Ending for Financial Services

By Dave Russell, Vice President of Enterprise Strategy at Veeam

As one of the most heavily regulated industries, especially since the 2008 crash, the banking and financial community is not likely to be cavalier when it comes to data back ups. However, many firms have simply relied on their Software as a Service (SaaS) provider’s recycle bins to keep their data safe, borne out of a misunderstanding that SaaS companies protect the data running across their environments.

From our experience with customers, we’ve found it has come as a shock for many SaaS purchasers in this sector to find out that responsibility for data protection lies with them, the data owner. Today, views are evolving. Veeam’s Data Protection Trends Report 2022 shows that SaaS and backup admins believe programs like Microsoft 365 and Salesforce need more robust backups to protect data from cyber threats and accidental deletions.

Still, many continue to have a “set it and forget it” mindset. A large percentage of users are relying on more functional tools that SaaS providers have started to embed in their platforms to back data up. Many in that group haven’t necessarily ruled out more robust backups; they’re just proceeding with the assumption that they don’t need more protection.

Unlike many industries, the financial sector was amongst the earliest adopters of backup systems. Resilient IT satisfied compliance requirements for key accounting systems, and kept the economic wheels turning. It also helped ensure the continuation of essential technology and national infrastructure during the era when the UK’s financials centres were targeted by bombs.

In today’s 24/7 cloud-based age, the nature and type of threats may have changed, but the fundamental need for resilience is constant. Similarly, the need to embrace IT for economic advantage and business benefit remains as important as ever. And SaaS has a vital part to play.SaaS clearly offers many benefits, from an efficiency standpoint. The barrier of entry to getting started is low. Organisations can take advantage of OpEx models, allowing them to pay as they go. SaaS applications also can seamlessly integrate to existing mechanisms in place – such as multi-factor authentication for identity management – and SaaS providers often offer expertise in designing, configuring, optimising, and or managing a solution that the data centre may not have.

But over-relying on them can have consequences. For one, organisations do not have as much control over the service delivery or the infrastructure it runs upon. While that can be seen as a benefit in terms of outsourcing responsibility, it is a drawback in the event that an incident arises, and in fact this speaks overall to the ability to influence the specifics of a service that is delivered in this manner. There are additional pressures for the banking and financial sector, not only because their services are vital to all of our lives, but for regulatory reasons too. If there is an impact for customers accessing their bank accounts or affecting transactions, it could cause huge disruption, inconvenience, and loss of trust. From the banks’ perspectives, the potential financial loss, combined with loss of stakeholder and market confidence, is vast.

Common misconceptions

As alluded to, the biggest security and data protection misconception that financial services organisations have when moving to the cloud is that SaaS providers don’t do everything you want them to do. The best corollary is the shift to Microsoft 365 since many organisations moved from on-premises Exchange to SharePoint. Users of Microsoft 365 rightly assume that any outages involving applications, network controls, operating systems and physical networks will be managed by the SaaS provider.

But the largest number of outages aren’t caused by SaaS providers themselves. It can also come from the employees – whether they are bad actors with malicious intentions, or simply make an unfortunate mistake. The biggest issue by far is accidental deletion. If you don’t have robust backup, your data could be gone. It’s like renting a car: SaaS providers make sure the car is fueled up and ready to go, but once you drive it off the forecourt, it’s your responsibility.

History has proven that whenever a new model becomes popular, people make wrong assumptions about how certain issues will play out. That’s happening now when it comes to data backup. While IT decision makers understand the benefits of shifting responsibility for deployment, upgrades and shifts in capacity, many don’t realise the actual responsibility of the data usually remains with the tenant. SaaS providers’ shared responsibility models spell it out clearly: The data will remain the responsibility of the client. It’s the only thing that’s consistent across the cloud.

Formulating backup strategies

Here are several solutions financial services organisations should have in mind as they formulate backup strategies for SaaS:

Focus on preparation – It’s hard to prepare for a problem you don’t know you’re going to have. But if you have the data, you’ll be well suited to handle that type of incident. If you prepare your SaaS application for an incident you don’t know you’ll have, you’ll have control of your data.

Assume the worst – Whether it’s on prem or off, bad things can happen. It likely won’t involve equipment failure; the cloud is good at being resilient from an infrastructure perspective. But with data, mistakes happen. According to Veeam’s 2022 Data Protection Report, on average, organisations were only able to recover 64% of their data from a ransomware attack ― meaning over 1/3 of data is typically unrecoverable. For the finance sector in particular, leaders need to keep in mind that as the cyber landscape remains rocky, it is imperative they question whether their data protection solutions are up to scratch.

Keep compliance in mind – The UK Banking Act of 2009 sets out requirements for Banks to ensure both continuity of services and critical functions, whilst also protecting and enhancing the stability of the UK’s financial systems. The Tripartite Authorities (Bank of England, Financial Conduct Authority and Prudential Regulation Authority) seek compliance and require organisations to keep data for several years. SaaS backups, however, often are set up for a maximum of 120 days. There is a clear disconnect, which you – as data owner – need to be aware of. If you don’t consider that up front, you tend to find out after the fact. And it’s hard to restore what you haven’t backed up.

Check your responsibilities – Organisations should be very familiar with the shared responsibility models their SaaS providers offer. Know where your data is and be able to facilitate e-discovery situations.

Plan an exit strategy – The best time to negotiate exit strategy costs and methodologies are before you integrate a SaaS backup solution. It could be possible for the provider to hold your data hostage at a price point that they determine at that time.

Conclusion

Today, more and more financial services organisations are embracing SaaS to run mission-critical business functions. However, to be specific, it is a Modern Data Protection platform that can embrace all data wherever it resides that can be a powerful weapon for banks as they make this shift, without compromising resilience or regulatory compliance. Data is their lifeblood and relying exclusively on SaaS backups could subject them to a rude awakening.