But first, lets explain how we got here

Data and Methodology

Rubrik Zero Labs strives to deliver actionable, vendor-agnostic insights to reduce data security risks. To that end, we incorporated findings from four primary sources.

Rubrik Telemetry =

We utilized Rubrik telemetry in an effort to understand a typical organizations data estate and the risk realities.

Wakefield Research =

Perspectives from 1,600+ IT and security leaders

Rubrik Partners =

Research and guidance from two Rubrik partners

zero labs zero labs

Contributing Organizations =

Research from respected cybersecurity organizations and institutions

zero labs zero labs zero labs
zero labs zero labs


Let's Talk About Risk

Zero Labs

Let's set the ground rules for how this study approached risk.


We're going to make the “risk math” easy:

What is the likelihood your data will be affected by an external entity

Zero Labs

What is the risk resident in your data today

Zero Labs

The impact that's likely to produce

Zero Labs

Your decisions in response to the impacts

Zero Labs

Risk Math

In your face big math!

Zero Labs

We're going to focus on data.

As a data security company, our strongest insights involve an organization's data—as opposed to its infrastructure or architecture—so we focus on risks in and to your data.

Specific Focus Areas

Let's be honest. You're busy. None of us have time for a full deep-dive on every aspect of data security. We intentionally narrowed this study to a few key topics:

Zero Labs


The existence of commercially available clouds can now be measured in decades. Yet, confusion about cloud data security remains. The cloud is targeted with more frequency—and more success—than its on-premises counterparts. It also contains blind spots making them difficult to defend.

Zero Labs


Not too long ago, experts predicted ransomware's decline. It didn't really happen, and ransomware continues to wreak havoc on organizations of all kinds.

Zero Labs


With few exceptions, healthcare organizations produce and store more sensitive data and are subject to more regulatory scrutiny than other industries. A fringe benefit of the regulatory pressures on healthcare is more publicly available data to study.


Who is this study for?


Intelligence should inform the right decision-makers, and risk decisions typically happen at the senior-leader level.


Our goal is to inform and aid these senior-leader discussions across business, cybersecurity, and IT functions.

By giving these decision-makers a common place to start from, they'll be better prepared to tackle risk together.

Now let's talk a little bit about how people perceive risk.

Zero Labs

Humans don't deal with uncertainty well. When faced with the possibility of something happening, we like to think either:

If a meteorologist tells you there's a 52% chance of rain in your area, they're not telling you definitively, "Yes, it will rain," or "No, it won't."

Then there's the details we really want: How much rain? Is it a sprinkling or a deluge? Do I just stay home because I didn't want to go to the office anyway?
These decisions are yours and yours alone.

It would be nice if you only had to make these decisions once.

But... it just doesn't work that way.

Let's start with the external threats you should consider.


Let's start with a basic question:

Are attackers likely to target my data?

Nobody can tell you with 100% certainty if you'll be hit with a cyberattack, but we can tell you what happened to your peers last year.

Almost all your peers dealt with cyberattacks about every other week

Almost all your peers dealt with cyberattacks about every other week

Here's what last year looked like across IT and security leaders:


of IT and security leaders reported their organizations experienced a significant cyberattack last year.


The average frequency was 30 malicious events brought to senior leaders' attention across 2023.


of external organizations conducted a formal data loss notification to a governing organization.

Cyberattacks are far more likely than physical theft or fire.

To put the likelihood of cyberattacks into perspective, a European insurance company compared cyberattacks to traditional threats in the same timeframe and found:


Organizations are 67% more likely to experience a cyberattack than physical theft.


Organizations are five times more likely to experience a cyberattack than a fire.


of organizations do not know what actions to take in the event of a cyberattack.

Cyberattacks are far more likely than physical theft or fire.

Attackers are comfortable targeting hybrid environments.

Attackers are comfortable targeting hybrid environments.

So if you're likely to be targeted, it's useful to understand where and what is likely to happen. Of the 94% of external organizations victimized in a cyberattack, many were attacked across multiple environment types:

67% Saas

66% Cloud

51% On-Premises

And here's some perspective on the two most common types of attacks in these environments:

38% of these organizations had at least one data breach from a cyberattack.

33% of these victims endured at least one ransomware attack.

Almost all cloud tenants were targeted, and 2 out of 3 were compromised in 2023.

We didn't just find this in our own research. Proofpoint reported:

94% of cloud tenants were targeted every month last year.

62% of targeted cloud tenants were successfully compromised.

Almost all cloud tenants were targeted, and 2 out of 3 were compromised in 2023.

Attackers have access to your data for days before being found.

Attackers have access to your data for days before being found.

Mandiant measures dwell time as the number of days an attacker is present in a victim's environment before detection.

10 DAYS The global median dwell time across all events was 10 days last year.

5 DAYS The global median dwell time for a ransomware event is 5 days.


these are the shortest dwell times ever observed by Mandiant.


this still represents a significant length of time for malicious actors to accomplish their goals.

You're not imagining it. There's more ransomware (70% more).


Recorded Future tracked a significant increase in publicly reported ransomware attacks last year:

358 reported ransomware attacks against healthcare (46% increase YoY).

4,399 reported attacks across all industries (70% increase YoY).

Now let's shift focus and look at your data.


If you know the odds of an attack (and let's face it, they aren't great), it makes sense to do everything you can to minimize your risk by reducing:


At the end of the day, what we're trying to do is
deceptively simple (on paper).
We're trying to protect:

We must examine both sides of that equation. Let's take a look at what our operations expect our defenders to secure.


Healthcare defenders are responsible for securing a larger data surface area, with more sensitive data, and that is growing faster than the global average.


Healthcare organizations secure 22% more data than the global average.


A typical healthcare organization saw their data estate grow by 27% last year (23% for a global organization).


A typical healthcare organization has 50% more sensitive data than the global average.


Sensitive data records in healthcare grew by more than 63% in 2023 far surpassing any other industry -more than five times the global average (13%).


Organizations had a record-setting number of issues to tackle last year.

Vulnerabilities are not a perfect exposure measure, but they do provide a solid view on the scope and scale of inherited risk from vendors.

2022 was a record-setting vulnerability year with the highest reported amount ever.

2023 set a new record, a 16% increase over the previous record.


Organizations are becoming more dependent on cloud and SaaS.

Demands on a modern business necessitate an increased focus on the cloud. We see the nature of hybrid environments consistently moving towards cloud and SaaS while deprioritizing on-premises architecture growth.


Cloud Data Security

Blind spot #1:

70% of all data in a typical cloud instance is object storage.

Object storage represents a common blind spot for most security appliances because it's typically not machine readable by these same technologies.

Cloud Data Security

Blind spot #2:

88% of all data in object storage is either text files or semi-structured files, such as CSV, JSON, and XML.

So let's assume your tooling and process can see inside object storage. Here's another issue: unstructured data (such as text files) and semi-structured data represent another blind spot for security as these data types vary wildly in being machine readable and/or covered by prominent security technologies and services.

Cloud Data Security

Blind spot #3:

More than 25% of all object stores contain data covered by regulatory or legal requirements, such as protected health information (PHI) and personally identifiable information (PII).

Put simply, the cloud comes with inherent risk because it contains critical organizational capability and also stores regulated data while simultaneously having less security capabilities and visibility compared to on-premises assets.


Most backup solutions are not up to the task.

Backup and recovery technologies are critical components for virtually all organizations. They've been used for disaster recovery and business compliance for decades. However, most organizations struggle getting these solutions to actually work.


Rubrik Zero Labs previously reported more than 99% of external organizations reported having an existing backup solution.

Zero Labs


However more than 93% of these organizations encountered significant issues with their existing solution.


70% of organizations do not store backups offsite or their backups are not immutable.


Almost 40% of Rubrik-observed organizations have not set compliance policies for their data backups.

Bad news:

Cybercriminals are hip to the backup game and routinely target backups.

Attackers almost universally attempted to remove backup and recovery options from defenders.

External organizations that reported a successful attack observed:


Attackers tried to affect the backups in 96% of these attacks.


And were at least partially successful in 74% of those attempts.

Cybercriminals are taking out insurance policies against effective restores

Attackers are evolving their approach to ransomware based on defender actions. Instead of simply encrypting data, cybercriminals also steal data and threaten to publish it. If their target can thwart the encryption event with a swift recovery, ransomware actors have another way to drive a payout.


The number of times threat actors potentially exfiltrated data after an initial compromise has doubled since November 2022.


Data breaches have a 12% higher overall impact on organizations than ransomware alone.


of external organizations that endured a successful ransomware attack reported paying a ransom demand with 58% of these payments motivated by threats to leak stolen data.


Now that we know the likelihood, let's take a look at the impact.

Zero Labs

Going back to our weather forecast, the story of your day doesnt end when it rains.

You still have to live your life. But now you need to adjust to the conditions.

How are you going to stay dry?
Does the dog get walked in the rain?
What happens when you inevitably get rained on?

Zero Labs

Likewise, a cyberattack sets off a whole slew of remediation, recovery, and reporting efforts.

How painful these efforts are depends on how well you prepared for these outcomes in the first place.

Let's look at the fallout from cyberattacks, specifically ransomware, against healthcare organizations last year.

This is what happens after the cyberattack.

Zero Labs

Approximately 1 in 3 Americans had their healthcare records compromised last year.

Zero Labs

people (on average) were affected by a single cyberattack against healthcare last year.

people had their records compromised from cyberattacks against U.S. healthcare organizations last year.

Ransomware attacks on healthcare organizations impact almost 5 times more sensitive data than the global average.

Rubrik measures both the ransomware encryption blast radius and the sensitive data impacted by this blast radius. Impacted files include encrypted files, deleted files, and exfiltrated files.

Here's the impacted data for a typical healthcare ransomware encryption event in a production environment:

8.4M affected sensitive data records

20% of an organization's total sensitive data holdings impacted

The average global organization at large typically experiences a much smaller impact to its sensitive data.

1.7M affected sensitive data records

6% of an organization's total sensitive data holdings impacted

Virtualization really matters for healthcare and ransomware

Now let's examine where ransomware encryption happens

This is likely driven by two factors.

1: Virtualized architectures typically have less security coverage compared to traditional endpoints.This creates security dead spots and simultaneously allows attackers unfettered access.

2: Once attackers gain access to virtualization control panels, they can often move at speed and scale using only compromised credentials.

Zero Labs


Ransom payments vary wildly

Initial ransom demands are often higher than the actual payouts. Palo Alto Networks Unit 42 noted the following trends in ransom payments across last year:

Median demand

All industries




Median payment

All industries




Median of Top Five Largest Payments

All industries




Backups and data theft greatly affect a victim's likelihood to pay a ransom.

The University of Twente studied factors that caused victims to pay a ransom and separately what impacted the size of an actual ransom payment. Their findings indicated:

Organizations with recoverable backups were

Zero Labs

Data exfiltration led to a higher likelihood of paying a ransom and higher ransom payment amounts.

Paid the ransom with data exfiltration

Paid the ransom without data exfiltration

5.5X larger ransom payments were made when data exfiltration was involved compared to encryption-only events

Storage overload: The recovery blindside nobody sees coming

When it rains, it pours. Few organizations are prepared for the data deluge caused by ransomware.

If a single healthcare ransomware event encrypts and modifies 16.8 million files, this means the encryption event created 16.8 million “new” files for the victim (13.7 million new files for a typical organization overall).

These files are backed up as new files.This consumes vast amounts of storage capacity at the moment of the encryption event.

If a victim's pre-ransomware storage is over 70% capacity, this “new” data could max out an organization's recovery capacity within one to two weeks.

To make this problem more profound, ransomware victims often need to create more “new data,” such as: forensic images for analysis and immutable copies for legal purposes. In many cases, response/recovery workflows also require duplicate data. Put simply, a victim must create even more new data as part of the response process immediately after the attacker created a large amount of new data.

In the 200+ recovery operations in the Rubrik Ransomware Response Team's history, this issue typically leads to one of two outcomes. The organization either needs to:

1: Rapidly increase data capacity, which requires financial investments and workforce pressures.

2: Degrade recovery capabilities to slow data growth, which in turn limits recovery options in critical timeframes.


Zero Labs

Ransomware fallout directly contributed to at least 42 US deaths.

In any ransomware event, there's the data impact. The real risks-particularly for healthcare-are also measured in operational impacts and lives.

The University of Minnesota Twin Cities - School of Public Health studied real-world impacts to hospitals and patient care caused by ransomware events between 2016 and 2021. They found:

1 in 4

While only 5% of US hospitals were directly affected by ransomware during the study's timefame, an additional 20% of hospitals suffered ripple effects when patients were transferred or diverted from the victim hospitals to surrounding hospitals.


A typical hospital lost between 0.5 and 1% of their total annual revenue as a direct result of a single ransomware attack.

2-3 wks

Hospitals averaged two to three weeks for a return to typical patient care levels following a ransomware attack.

42-67 deaths

The fallout from ransomware attacks directly contributed to the deaths of between 42 and 67 patient deaths.

These attacks aren't just affecting data, businesses, or individual privacy anymore. There's direct evidence cyberattacks are a life and death issue.

These new realities start the risk calculus all over again.


After the initial response is done and organizations return to relatively normal operations, the fallout from a ransomware attack continues producing risk impacts.


There's Bad news and
good news here for us.

Ransomware Recovery to Reset

of IT and security leaders are extremely or very concerned about their organization's ability to maintain business continuity during a cyberattack. ▲

of external organizations believe their Board of Directors or C-suite has little to no confidence in the organizatio's ability to recover critical data and applications in a cyberattack. ▲


Cyberattacks produce predictable problems to solve.

Here are the most frequently identified problems during a cyberattack and the most common changes organizations should prepare to encounter after a cyberattack:

External organizations provided the single biggest limitation they faced during a cyberattack:


Issues working across a hybrid environment


Lack of alignment across teams


Ineffective backup and recovery solutions


Lack of leadership involvement


Visibility challenges


These are the most common changes external organizations encountered because of a cyberattack:


Increased senior leader scrutiny


Changes in cybersecurity technology


Reworking cybersecurity plans and procedures


Increased accountability enforcement


Drop in morale among IT or cybersecurity teams

After a cyberattack, external organizations reported:



Increased spending on new technologies or services



Switched vendors or third party relationships



Hired additional staff

You cannot eliminate risk, but you can influence the risk cycle and affect your new risk baseline.


Just because you weathered one storm doesn't mean it'll be the last one you face.

In fact, you'll almost certainly face another one and that storm will bring new, perhaps unforeseen risks, with the potential to catch you off-guard.

Zero Labs

We'd also love to tell you there are options to change the risk factors controlled by the attackers, but unfortunately our analysis tells us that pursuit is almost as futile as trying to control the weather.

Like most things in life, you cannot control what happens to you, but the good news is you can control the risk reset and subsequent impacts. Let's dig into the data on how to successfully navigate the risk reset. Each of the risk recommendations is derived from findings about the cyberattacks, the data impacts, or the expected outcomes.

What Actually Impacts Your New Data Risk?

Here are the most impactful levers you can pull to significantly improve your data risk:


Zero Labs

Prepare to challenge attackers across all aspects of a hybrid environment. Attackers are already working successfully in hybrid environments, and our organizations are moving that way.

Zero Labs

Increase your data visibility, specifically:

  • Expand your view across all aspects of hybrid environments.
  • Know where your sensitive data is located and what type of regulatory aspects apply to specific data elements.
  • Prepare to address new leader scrutiny and demonstrate how recent investments will lead to anticipated outcomes.


Prepare to recover, and prepare for attackers to contest your recovery.


This includes:

  • Ensure backups are fully immutable and available during a cyberattack.
  • Automate as much of the recovery process as possible.
  • Test recovery outcomes across hybrid environments.
  • Leverage existing security services and technologies to test the immutability and integration of backup technologies.


Zero Labs

Anticipate increased leadership scrutiny and proactively communicate your efforts.

Zero Labs

Know your data (especially your sensitive data) is growing. Learn to control that growth and prioritize the defense of critical data.

Zero Labs

Prepare to answer regulatory and legal questions in the middle of a ransomware event with an actively encrypted environment and attackers threatening to leak stolen data.

Zero Labs

Know that cyberattacks often lead to new technology, increased staff, and switching vendors or partners. Be prepared to capitalize on these change periods to address the most impactful options.

Find ways to unify different teams before, during, and after a cyberattack.


This includes:

  • Create combined playbooks and tabletop exercises.
  • Determine which team is best suited for specific risk decisions.
  • Establish the best way to get the right data to the assigned risk owner.
  • Ensure all teams have the same data viewpoint to enable faster decisions and decrease potential resistance from competing viewpoints.
Zero Labs

Communicate plans and outcomes regularly across your entire organization to address dropping morale from cyberattacks and re-instill confidence across teams.


Admittedly, Rubrik Zero Labs approaches risk from a data-driven perspective. Let's expand our view to include key resiliency recommendations from Microsoft's 2023 Digital Defense Report. Microsoft's vantage point is decidedly different from Rubrik's, which in turn we hope, will strengthen any risk reduction effort.



Microsoft assesses basic security hygiene for data will protect against 99% of all attacks.

Specific recommendations are:

  • Enable multi-factor authentication
  • Apply zero trust principles especially for assets securing critical data and functions
  • Use extended detection and antimalware to cover critical parts of hybrid environments
  • Keep up to date on patching key systems and applications
  • Protect your data by understanding what data is critical, where is it located, and implementing appropriate defensive measures for these enclaves

If we dive one level deeper to Microsoft's view on ransomware, they advocate for "The Foundational Five" as the best path to eliminate ransomware impacts:



Modern authentications with phish-resistant credentials


Least privileged access applied to the entire technology stack


Threat and


Posture management for compliance and the health of devices, services, and assets


Automatic cloud backup and file-syncing for user and business-critical data


We started this report by simplifying our risk math: We need to defend THIS from THAT.


In practice, risk is an incredibly complex topic where:


Because of the literal millions of variables involved, you'll never be able to fully pin down your risk—or completely eliminate it. What you can do is get a handle on the most impactful levers, work to address predictable outcomes, and take distinct actions to change the risk calculus in your favor.


We hope this study provided some insight on data risk reduction and better prepares you for the evolving risk cycle.


Subscribe to Rubrik Zero Labs

For further Rubrik Zero Labs publications, please sign up below.



Rubrik would like to extend our appreciation to the organizations providing their hard-earned data knowledge to this study.

  • Our partners at Microsoft and Aon provided both strategic direction and supporting data.
  • The following organizations allowed us to use their analysis and provided clarifying material to ensure appropriate categorizations:
    • Proofpoint
    • Recorded Future (Allan "Ransomware Sommelier" Liska)
    • Mandiant (Kirstie "Swiftie" Failey)
    • Palo Alto Networks Unit 42 (Ingrid Parker)
  • The University of Minnesota Twin Cities School of Public Health (Hannah Neprash, Claire McGlave, and Sayeh Nikpay) allowed us to leverage their findings, provided a deepdive into their research, and worked with Rubrik Zero Labs to ensure their academic research aligned with Rubrik Zero Labs industry research.



As with all things Rubrik Zero Labs, it takes a village to pull off these studies. Wakefield Research provided external data to make this research as objective as possible. Shaped By found a way to take the data and bring it to life. Finally, many Rubrikans worked hard to provide capability, context, and guidance. We'd like to extend a specific appreciation to Amanda "Danger" O'Callaghan, Linda "Taskmaster" Nguyen, Lynda "Go Niners" Hall, Ben Long, Peter "I'm the Law" Chang, Ajay Kumar Gaddam, Ryan Goss, Derek Morefield, Josh Burns, Gunakar Goswami, Prasath Mani, Puja Ramesh, Ethan Hagan, Kevin Nguyen, Caleb "Social King" Tolin, Kelly Cooper, Hannah Battillo, Caitlin "Plz stop letting Steve talk to reporters" O'Malley, and Fareed Fityan.