Sandeep Bhambure on Fight Against Ransomware and Data Threats

In this exclusive interview with Sandeep Bhambure, Vice President and Managing Director of Veeam, delves into the critical role of data resiliency in today’s cybersecurity landscape. With ransomware attacks on the rise.

He discusses Veeam's innovative approaches to safeguarding businesses, including the concept of "Radical Resilience" and their comprehensive ransomware mitigation strategies. He also highlights the importance of aligning with India’s Digital Personal Data Protection (DPDP) Act and shares insights into the growing industry of Ransomware as a Service (RaaS).

DQ: Could you explain what the concept of "Radical Resilience" and "Bouncing Forward" mean?

Sandeep: The concept of "Radical Resilience" is about ensuring that IT environments are not only able to recover from disruptions but also able to "bounce forward." Data protection is still at the core of everything we do, but now, when we talk about "data resiliency," we mean the convergence of five key capabilities.

First, is data protection, having safeguards in place to prevent data loss. Then, data recovery—the ability to recover your data whenever and wherever it’s needed. Next is data freedom, which means being able to move data anywhere—whether between cloud platforms, on-prem systems, or across different geographies. Fourth is data security, ensuring that backed-up data is 100% protected from any threats, whether malicious actors or internal errors. Finally, data intelligence—leveraging data to gain insights that can help the business move forward.

When you bring these five capabilities together, it creates an environment where organizations can not only recover from disruptions without significant business impact but can also bounce forward. Essentially, after recovering, they can immediately start using their data assets to push their business ahead. That’s what we mean by “bouncing forward”—going beyond just recovery to futureproofing the business.

DQ: The whitepaper you released on ransomware is specifically targeted at Indian businesses. Could you share the key strategies you've outlined in the report?

Sandeep: Along with the comprehensive ransomware mitigation strategy white paper, we’ve also launched the Veeam Cyber Secure Program. This program takes an end-to-end approach to cyber resilience, and it’s built around the idea that no backup data should ever be compromised. The white paper provides actionable steps that organizations can follow to build resiliency into their IT environments, so they’re prepared to deal with ransomware and other threats.

One of the focal points of the white paper is helping businesses align with India’s new Digital Personal Data Protection (DPDP) Act and the CERTIN guidelines. As you know, the DPDP Act has been passed by Parliament, and it’s essential for organizations—especially those with global aspirations—to demonstrate that their data is secure. If businesses can guarantee that their data is protected, they’ll be able to compete more effectively on a global stage. This is why data protection laws like the GDPR in Europe or the U.S. data protection laws exist—they instill confidence in markets.

The white paper doesn't just provide an overview of ransomware threats; it also outlines concrete steps businesses can take, starting with robust data protection policies and practices. We emphasize impact assessment—businesses need to understand what data was compromised in the event of an attack, whether it can be recovered, and the potential impact on the business. This is key to creating a more resilient IT environment. Another recommendation we make is around awareness enablement training—people who handle data need to be fully aware of the risks and the steps required to safeguard that data.

We also highlight the penalties imposed by the DPDP Act for data breaches, which are significant. The Data Protection Officer (DPO) now reports directly to the Board of Directors, which shows how seriously data protection is being taken. The white paper helps companies develop strategies that cover preincident, during-incident, and post-incident scenarios, ensuring they are well-prepared for any cyber threats they may face.

DQ: The DPDP Act is still in its early stages, with certain compliance issues for companies. What are the challenges businesses face when aligning with these protocols?

Sandeep: While the DPDP Act sets out clear guidelines, compliance can be a challenge, particularly for companies that handle a lot of user data, like social media platforms. For instance, users often can’t access an app unless they provide their location, age, gender, and other personal information. While consent is a factor, there’s a question of whether this aligns with the principles of the DPDP Act.

However, that’s more of a security domain issue. Our focus is on data resiliency rather than front-end user authentication. The domain you're talking about—how organizations authenticate users and protect the attack surface—is handled by security solutions, which involve things like firewalls, perimeter security, and authentication technologies. Where we come in is after an attack happens.

Despite all the precautions businesses take with authentication and security, the reality is that ransomware attacks still happen. In fact, our research shows that 75% of organizations have experienced ransomware attacks, and some have been attacked more than once within a 12-month period. So, what we focus on is ensuring that backups are protected because backups are the surest way to recover from a ransomware attack. We work in tandem with security solutions to ensure that, if an attack occurs, the backup data is secure and the organization can recover without paying a ransom.

DQ: What is the 3-2-1-1-0 rule for data backups, and what does it stand for?

Sandeep: The 3-2-1-1-0 rule is a tried and true best practice for data protection. Here’s how it breaks down:

•  Three copies of your data should be maintained.
• These copies should be stored on two different types of media (for example, on-prem storage and cloud storage).
• One copy should be stored offsite, separate from the other two copies.
• One of these copies should be immutable or air-gapped, meaning it’s completely isolated and can’t be altered by ransomware or any other threats.
• The zero stands for zero errors during recovery, which means the backup data is guaranteed to be error-free and fully recoverable.

What this rule ensures is that even if ransomware targets your primary data and one of your backups, you still have a third copy that is protected and untouchable. This dramatically reduces the chances of data loss.

DQ: There’s a mention of "Ransomware as a Service (RaaS)" in the report. How big is this industry, and why is it growing so rapidly?

Sandeep: Ransomware as a Service (RaaS) is becoming a massive industry. The tools to create ransomware attacks are readily available online, and it’s becoming easier for people even those with limited technical skills to launch attacks. We have the largest pool of software developers in the world, and unfortunately, a small portion of them see ransomware as a way to make easy money.

There are even reports of recruitment drives in certain states to hire engineers or tech-savvy individuals to develop ransomware software. It’s a multibillion-dollar industry right now, and it’s growing rapidly. Independent research projects that by 2030, the global RaaS industry will be worth $23 trillion, with India alone accounting for $7 trillion of that. It’s growing at an alarming rate.

DQ: As ransomware attacks increase, which industries are most affected, and why?

Sandeep: The industries most affected by ransomware tend to be those that are heavily regulated, such as BFSI (Banking, Financial Services, and Insurance), healthcare, and insurance. These industries deal with highly valuable, critical data, which makes them prime targets for attackers. Because of the sensitive nature of the data they handle, these organizations are often willing to pay the ransom to get it back.

The reason these industries are so heavily regulated is that they’re dealing with data that is more critical than in other industries. Healthcare companies, for example, are regulated by agencies like the FDA in the U.S. and their Indian equivalent. Financial services are regulated by the RBI or SEBI in India. When you handle that kind of valuable, regulated data, you’re at a higher risk of being targeted by ransomware.

DQ: What new projects or trends do you foresee shaping your industry in the next few years?

Sandeep: One of the biggest trends we’re seeing is the shift toward data protection as a service. With the launch of Veeam Data Cloud, we believe this is going to be a high-growth area. More customers are looking to consume data protection and resiliency services in the cloud. That doesn’t mean on-prem solutions are going away, but we are seeing more demand for keeping immutable backup copies on cloud platforms like Amazon Glacier, Microsoft Azure, or Google Cloud.

Another trend we’re seeing is application modernization. About 90% of companies are either already on the journey of modernizing their applications or are planning to do so in the near future. That means they’re moving to containerized environments, and those containers will need protection. This is another area we’re focusing on making sure that data in these modern app environments is fully protected.

Lastly, the demand for multi-cloud data freedom is growing. Customers are looking for ways to move data between cloud platforms easily. For example, they might want to move data from Azure to AWS or vice versa. We provide that flexibility with our solutions. If customers want to switch cloud providers or take advantage of better deals, we make sure their data can move seamlessly, without any compromises.