Data Loss Protection
What can you do to protect your data, who is responsible for your data and what can you do when the unthinkable happens?
This article aims to provide more than just answers to these questions, it aims to stimulate awareness of the simple procedural steps that any company can take to protect their data.
We say “any company”, what we really mean is “any individual”, because it only takes one person to change the culture of most businesses to data security. It only takes one person to say “Don’t bury your head in the sand”.
Since the start of commerce the challenge has always been to protect the Golden Hen that lays the Golden Eggs. Without that successful production method, or service or product there is no business, so protecting that recipe for success has always been key.
Initially these techniques, skills or recipes were passed as word of mouth secrets, but soon a permanent record of the secret was required. Eventually it was not the divulgence of the secret that cost businesses their standing in the market place but rather the loss of records about their debtors. The loss of some simple records could lead to companies going out of business. Better records were kept and with the computer age came electronic records. With electronic records came the potential for data loss.
Typical causes of data loss are:-
- Accidental deletion
- Power failure
- Power spikes (sudden increases in mains voltage)
- Physical damage to data storage devices
- Loss of data device (fire, flood, theft, accidental loss of physical device)
Let’s look at these causes
You may say “it was an accident”, but if you were to apply root cause analysis to the actual series of events then you would find that accidental deletion usually occurs because of one of the following:
- High work pressure/deadlines
- Lack of procedures
- Lack of training
There may be other causes, but these three head the league table. Of these three the most unforgivable for any company is lack of training, followed by lack of procedures and then pressure and deadlines.
Because it is the company’s responsibility to ensure that their staffs have all the tools available to complete the task to which they are assigned efficiently and safely.
Lack of procedures falls into the same category, it is the company’s responsibility to have good work procedures in place.
The worker would probably disagree and say it was the pressure they were under because of the deadline. In fact that is the workers responsibility, the pressure they feel is their pressure, their emotion, it is not controlled by external forces but rather by them. If you as an individual agree a deadline with someone then you accepted that time period. If it was insufficient then it was up to you to alter it or extend it.
But what has this got to do with Simple Data Security? Everything. Yes, we will come on to backups and cloud storage and all the other things, but unless you can address the common causes of data loss then someone will be spending a lot of time recovering lost data from those backups. Again that time is money.
Some areas of the United Kingdom suffer more than their fair share of interrupted power supply, usually caused by lightning strikes power lines or equipment failure. Business critical computer equipment should be connected to the mains supply via an Uninterruptable Power Supply (UPS). These battery backup devices are relatively cheap and last for several years.
You can relate them to a laptops battery in that when the mains supply is removed the computer can run on a battery until that battery runs out (which is not how a UPS should be used by the way).
When a power failure happens, the computer continues to run on the UPS allowing the user to perform a graceful shutdown of the computer. A good UPS will have a cable connected to the computer that allows the UPS to send a “shutdown signal” to the computer when the battery reaches a critical level. This is particularly useful for servers that are usually running 24/7.
Power spikes occur for a multitude of reasons and can damage computer equipment. An adaptor or an extension lead with built in “Surge Protection” can protect computers from damage that otherwise might occur. UPS devices often have outputs that have surge protection as part of the UPS.
This is one of the most common causes of data loss experienced by our clients. Unfortunately the damage is often “accidental” (again, some care and thought would remove the cause).
Laptops with training mains cables or trip hazards are common causes of laptops demonstrating the law of gravity. But more frightening is the lack of care demonstrated towards technology by many people.
As an example I repaired a laptop that had suffered a catastrophic data loss due to a failing hard drive. Replacing the hard drive and having taken over 30 hours to recover the majority of the data from the failing drive I met up with the customer outside his work place.
He asked what had caused the drive failure and I explained that it could be a number of things but that common causes were poor storage or the laptop, rough handling of the laptop and component failure. I went on to explain that in a computer the disk spins at 72000RPM and in a Laptop the speed is usually slower at around 5400RPM, there is a reading head that travels across the surface of the disk with a separation between the head and disk so small that you could not fit a molecule of smoke between them. If the laptop is turned on and experiences a knock then that could cause physical contact between the reading head and the disk.
The laptop owner made noises indicating wonder and amazement, took his laptop and tossed it onto the back seat of his car!
Loss of a data device
In 2012 people left some amazing things in London Black Cabs:-
- 27 Toilet Seats
- 4 Sets of false teeth
- 3 Dogs
- 2 Babies
- 1 Cat
- 1 Pheasant
- Funeral Ashes
- A dead body
- Over 75,000 mobile computing devices
Those devices can hold 10,000 photos, 100,000 emails and 200,000 documents!
We have been focused on the top causes of data loss, but they are not the top risks to data loss at this moment in time, they are historical causes.
The top 10 Risks
- Stealth installs
- Data interception
- Direct attack
- Call hi-jacking
- VPN hi-jacking
- Session hi-jacking
- Device hi-jacking
These risks cannot be covered in any depth within the scope of this document but you should be aware that having inadequate IT data protection can result in data loss just as surely as physical loss or theft of a device.
However, we will address all of the above issues within the Solution Description below.
The solution is not a single piece of software, neither is it a single procedure, the ideal solution is a strategy.
Here are the key elements which will be expanded upon below:-
- Cloud backup
- Remote monitoring and support
A company concerned about its data should have a robust IT Policy Document, this document should cover acceptable use of company IT equipment, removal of data from site (USB memory, laptops etc.) and also a trend that started in 2012 and has become almost accepted behavior in some types of business; Bring Your Own Device (BYOD).
BYOD is one of the biggest threats to data security, essentially with the prolific acceptance of Smart Phones and the use of uncontrolled Wi-Fi access within companies, personal phones are being used on the company’s network. The risk is massive, not only from the view point of data removal and loss but also because viruses that do not affect the smart phone can find their way onto the company network.
When we say uncontrolled Wi-Fi we accept that companies are using secured networks, we are actually referring to the wireless key being common knowledge within the company.
This is often the case because visitors to the organization are provided with Wi-Fi access should they need it, this often happens with no thought about the potential transfer of unwanted malware across the network.
The policy document should contain a section on access to the network by none company computing devices and in particular the sort of virus scan that should be run on the machine prior to connection.
The subject of Educating staff is enormous; however, staff should be made aware that security is the business of everyone in the company and that they are just as culpable for a breach as senior management.
Education also covers educating users on applications used within the business. Why? It’s not just about the simple every day uses of applications like Word or Excel, learning how to put together a professional and memorable Power Point presentation can make the difference between winning new business and laying off staff.
Companies with a formal training program are 11.4% more productive and profitable than companies who don’t. They are also much more likely to retain important employees.
Providing professional training solutions is a lot simpler and less costly than most companies expect. A new breed of online training companies has resulted in large amounts of video training content broken up into easily absorbed 10 – 15 minute session that ensure users can not only learn from almost anywhere (even on tablets or mobile phones), but also that they are trained in an entertaining way to help subject retention.
Layers of security are essential to protect anything of value. For example in an office building the first later of security is the site perimeter, followed by the buildings security, then reception, an office a filing cabinet and a folder index before you reach a file.
In data security we also build layers of security and often liken those layers to an onion with multiple layers of security before you reach the data at the core.
A physical firewall consists of a piece of hardware connected between your computers and the outside world. A set of rules restrict access to your network and also deny access from your network to dangerous locations on the internet. Firewalls can cost a lot of money but in recent years several manufacturers have re-positioned themselves to take advantage of the Home user protecting the family, the Home Office Small Office (SOHO) users as well as the traditional SME and Enterprise clients. With prices starting at under £200 there is little excuse not to use a dedicated hardware firewall these days. These systems have their rules updated in real time ensuring maximum protection for users.
By the way, Windows has a software firewall built into it, but its rules are seldom updated and it usually allows connections unless you tell it different, this means that for the majority of computers, although using a firewall, they are only protected at a very basic level.
Anti-Virus and Anti-Malware solutions abound on the internet and in the stores. Each year the owners of these solutions are tested independently and ranked according to their success in blocking infections. This information changes year on year so the best solution last year may not be the best this year.
However, there can be more to the right solution than meets the eye and these results are not everything. Some of the best solutions out there rank well (but not top) in the tests but are better for the customer for less obvious reasons.
There is no one anti-virus program that can protect you 100%, in fact there are more viruses out there in the wild that have yet to be identified and classified than are known about already! That means that the chance of getting a virus still exists even with the best software. Very few Anti-Virus providers offer a guarantee but a very small number do offer this sort of solution. In fact the best of these recognised the fact that you can never protect a computer completely and so they will compensate you financially (to a maximum limit) and fix the problem remotely just for purchasing their solution. Always take advice from a professional on Anti-Virus and Anti-Malware solutions before you spend your hard earned cash.
Cloud solutions abound on the internet but again, like Anti-Virus software there are some considerations that may not seem obvious at first.
Take for example the solution that seems to offer lots of storage for a very reasonable price, they say that the data is encrypted before transmission and then encrypted again at the data centre. Sounds OK, but there are two questions that many people never ask; “Where is my data being stored and how is it routed there?”
People automatically assume that the data is stored in the same country as they are in, not so in many cases. This is of particular importance to the medical, legal and financial world as well as Governmental departments and those undertaking work for those organizations.
The routing of data is also critical, if that data is stored in the same country as you but on its way to the Data Centre it leaves your country and comes back in (after all the data travels on the internet), then you have defeated the object of storing it in your country.
The data should be encrypted on the source computer, encrypted prior to transmission and again at the data centre for complete peace of mind. Most data centres are mirrored elsewhere (at another data centre or at several) to ensure redundancy.
Of course having a set and forget automated backup is great, but unless it is monitored by someone and tested on a regular basis you may be in for a shock when you do lose a file. Always check with a professional and don’t be afraid to ask how often backups are tested.
Most businesses use less than 20Gb of data for their standard backup, most of the common files like word documents are compressed with a saving of up to 50% in the storage of the file. As a result even quite large data files can be stored without exceeding the basic limit.
What do you think so far?
Constant Monitoring is Critical
Data can only be protected by using layers of security, training your staff about data storage, loss and their responsibility as an employee towards the safe keeping of company data.
Security should be thought of as an onion with multiple layers of security, an old adage springs to mind “belt, bracers and a piece of string”, don’t rely on any one solution (except with anti-virus; you can only have one per computer).
Staff training will help you improve productivity and loyalty reducing the chances of data loss, when staff care about the company they care about what they do.
Backing up data is a necessity, but testing the backups is essential. When you have a dedicated IT team they will take all the concerns about backups and data away from the day to day running of the company.
If your data has to stay in the UK (or whatever country you operate from) then make sure your data never leaves the country and that the data storage, likewise, is in your country.