Data Storage Security: Why the Storage Layer Is The Biggest Unprotected Gap

Organisations spend serious money on firewalls, endpoint detection, identity tools, SASE, zero trust, you name it. And then they get hit by ransomware and discover that none of it matters if the attacker has already deleted the backups.

The uncomfortable truth is that data storage security has to be treated as part of the same problem as data protection, but too often the two sit in separate conversations with separate budgets. Data growth is accelerating that problem. By 2028 the world will be producing 209 zettabytes of data annually, and the more data there is, the bigger the attack surface becomes.

Attackers Go for the Backups First

When a ransomware attacker gets into your environment, encrypting your data is not their first move. Mapping your estate, finding your backups, and working through them methodically before you even know something is wrong. The storage control plane is now a primary target, because attackers understand that once the storage resources holding your backups are compromised, recovery becomes almost impossible. They are not trying to get past your firewall for the thrill of it. They are after the data.

On average, only 65 percent of data is ever recovered after a ransomware attack, and a significant chunk of that unrecovered data is lost because the backup had already been compromised or was never there. Bad actors know that organisations do not monitor backup systems with the same vigilance they apply to production environments, so they work through the backup system piece by piece, and by the time the ransom note arrives, the recovery options are already limited.

In some cases the attack vector is not an external intruder at all. Insider misuse accounts for a large share of data exfiltration incidents, from a contractor connecting to a system without a VPN to an HR team bypassing identity and access management controls or an employee with excessive permissions and no monitoring in place. The breach does not always come through the front door.

Most Organisations Do Not Know Where Their Sensitive Data Is

The Thales Data Threat Report contains a finding that tends to stop people mid-conversation: only 34 percent of organisations have complete knowledge of where their sensitive data is stored. Two thirds of businesses cannot fully account for where their data lives, including data sitting in cloud storage, data on on-premises storage systems, data in a data centre that has not been audited in years, and data generated by applications that nobody has reviewed since they were deployed. In hybrid multicloud environments, where workloads span on-premises servers, public cloud platforms and edge locations, managing the data lifecycle becomes significantly harder, and data privacy obligations do not pause while organisations work out where their data is.

If you don't know where the data is, you cannot protect it, back it up, encrypt it, or write a recovery plan that reflects reality. In most cases organisations are protecting the data they can see, assuming the rest is fine, and hoping the gap never becomes a crisis. 

The same report found that only 47 percent of businesses encrypt their data in cloud storage, meaning more than half are storing data in the cloud with no encryption in place. Data breaches in cloud environments are not rare events, and the businesses most exposed are those treating cloud storage as somebody else's data security problem. Good data protection starts with knowing where your data is and who can reach it.

Recovery Is Not a Nice-to-Have

The question boards and CISOs should be asking is not whether a breach will happen, but how quickly the organisation can recover when it does. And yet most recovery planning is theoretical, with playbooks written but rarely tested, backup schedules configured but almost never verified against actual recovery times, and disaster recovery plans sitting in a folder that nobody has opened since the day they were written.

A sound risk management framework for data storage security should cover immutable copies of critical data that cannot be altered or deleted by an attacker, air gapped vaults that sit outside the production environment entirely, and tested disaster recovery processes with realistic recovery time objectives. Security partners working in this space approach the challenge from different angles: Druva's platform detects suspicious backup activity in real time, catching deletion attempts in the early hours before the damage is done; NetApp's storage layer monitors file entropy continuously, flagging ransomware behaviour before encryption spreads across storage resources; and Wasabi's Covert Copy feature creates an invisible, immutable backup in cloud storage that attackers cannot see and therefore cannot delete. Different storage solutions, but the same principle: data security cannot be treated as a perimeter-only problem.

The Data Storage Security Conversation Worth Having

Most organisations are still buying security from the perimeter inward, stopping at firewall, EDR and identity and access management without ever asking what happens to the data if an attacker gets through. The storage layer gets treated as infrastructure rather than security, the backup tool gets renewed because changing it's a headache, and whether data can be recovered never gets properly tested. That is a significant gap, and it is one that data breaches keep exploiting.

A phishing email landing in the right inbox is enough to hand an attacker access to cloud storage, databases, and file systems in one move, and the resulting data breaches often trace back to an unmonitored access point that nobody thought to lock down. SIEM systems can help correlate those signals, but only if the data from storage environments is feeding into them in the first place.

Regulatory compliance is adding further pressure to the data security agenda, with UK GDPR and the Data Protection Act 2018 placing clear obligations on organisations to protect personal data and demonstrate that protection to regulators.

The entry point into a better data storage security conversation is simple: ask when the last successful recovery test was run, ask how many backup tools are running across the environment, ask whether the storage platform would flag a deletion event happening at midnight on a Sunday, and ask whether immutable copies and air gapped vaults are in place.

Most organisations will not have good answers, and that's where the conversation starts. Once you start asking the right questions, the value of treating data protection and data storage security as one discipline becomes hard to ignore.