Defending your data
How secure is your data? Glenn Baker reports on data security issues faced by today’s business owners; the advent of online data management services; and strategies on how to safeguard business information.
No business owner wants to go through the trauma of having vital data stolen or compromised.
Today, the likelihood of that happening is much stronger than 20 years ago. Before the Internet, if you’re old enough to remember, data security was all about keeping documents under physical lock and key. Then along came the World Wide Web with its nasty, destructive viruses. Email subsequently became the primary channel exploited by external hackers. Businesses were forced to deploy anti-malware products and exercise extreme caution when opening attachments, in order to mitigate the majority of threats.
In recent years, the threat landscape has altered drastically. The web is still the attack channel of choice for cyber criminals – but they are increasingly stealthy, motivated by profit and highly skilled in web tricks and techniques. A business’s data defence arsenal now requires much more than just anti-malware software.
Data security has become a complex issue for business owners – and to focus on the important messages, we thought it best to talk to some of the leading industry players.
Cliff Ashford, from data mining specialist Datamine, has the title ‘geek’ on his business card and emigrated from the UK 18 months ago – where he worked with a number of large telcos. There, he says, the attitude was often that data security was someone else’s problem.
“It was the blasé approach to things I found most horrifying – such as employees creating a data spreadsheet and then emailing it to someone. Or important data ending up on a laptop, which then gets left on a train. That sort of thing is inexcusable.
“Companies must formulate a security policy and push it to all employees,” he says. “They also need to remember that people will always make mistakes, and accidents happen, so they need a policy that is ‘fault tolerant’.”
Whenever or wherever data is being transferred, there is potential for problems, says Ashford. USB sticks in particular can compromise security, as they are easily misplaced.
“If you absolutely have to move data by hand then a memory stick with embedded encryption such as an Iron Key would be advisable.”
But he says password encryption is weak by definition. “There seems to be a general lack of appreciation and awareness for encryption programmes, with many people regarding it as a ‘black art’.” He recommends PGP (Pretty Good Privacy) encryption, and not just because it’s pretty good.
“PGP is powerful and easy to install – and it can be completely seamless once installed,” explains Ashford. “It can be integrated into all your communications or on a file-by-file basis. It’s especially important when sending attachments via email or if you’re distributing sensitive information.”
Another recommendation is to be selective in any transfer of data. “Only transfer data you need – not all of it. Filter it down so you only have the data you want to work with – if you don’t need addresses, for example, don’t transfer them,” recommends Ashford.
“Track your data – know exactly where it is. Make a register of where files are.”
The ideal data security strategy is one where data resides on servers, not on the desktop, he says. If you’re going to email data, make sure it’s encrypted; and ensure you have a regular backup strategy, and it is regularly tested.
“Get a third party to carry out a security audit. You can’t do it yourself, because there’ll be blind spots you’ll miss.”
For data security to be effective, Ashford adds, it requires everybody in your business to raise their standards, and securing all your ‘pipes’ to suppliers. No excuses.
To make your strategy even more ironclad, you might like to have a strict password policy, he says. He suggests three levels of security, so your password on the most important files is rarely used and can’t be picked up by key loggers.
Information explosion
Despite 2009 being a tough time for world economies, the information economy still managed to boom. The amount of information created and copied in the world grew by 62 percent last year alone, reports Robin Whitaker, country manager for EMC. “And by 2020, the amount of information that needs to be protected, but isn’t protected, will equal the total amount of information created in 2018.”
The point is that the volume of digital information generated by businesses will continue to grow, as will the options for storing and securing it. Policies and guidelines need to be implemented now to deal with this increase.
Whitaker says a major problem is the tendency for people to only think firewalls and perimeters when thinking data security – when 80 percent of threats actually come from inside the firewall.
“Today’s firewalls do a pretty good job of stopping outside threats, it’s people inside your organisation who already have access to your information that you have to be wary of,” he says.
Information carried around on memory sticks is one concern, Whitaker says, and a recent study also highlighted the practice of key executives forwarding emails to their Gmail account so they can read them away from the office. “This is sensitive information, and once it has left the building, the organisation has no control over it.”
Whitaker says another issue is that many organisations have no data lifecycle management. “As data ages it needs to be stored on less critical infrastructure. The infrastructure must be tiered so data can go on a tier to match its importance.”
He is staggered that many large organisations still use “1960s technology” for their main disaster recovery. He is, of course, referring to tape. While the technology has improved since the 60s, Whitaker is still concerned at the reliance on it, despite its cost and its limitations on access. “It can take hours, days, even months to recover data.
“There is also a lot of duplication happening with tape – and that adds significantly to costs.”
Whitaker says a modern data backup strategy should see data stored online, data that’s easily transferred, and data management that alleviates all the issues traditionally associated with tape.
He says relatively new de-duplication technology makes life much easier too.
Cyber threats rising
In June, Symantec released the results of its survey on security trends and behaviours of SMBs in Australia. It revealed that 56 percent of respondents had been affected by a cyber threat in 2009 – up from 46 percent in 2008. New Zealand figures are expected to mirror this.
Symantec attributes the increase to the growing volume and sophistication of cybercrime attacks, smaller IT budgets and the reduction in respondents with policies to guide staff on safe Internet security practices – that’s a real worry.
Steve Martin, director SMB, Pacific region for Symantec, believes that small business owners in particular struggle because they have so much on their plate just running the business. They often rely on external resellers or someone with limited IT knowledge to advise them on security matters.
“Data security technology can be complex and there are so many risks and exposures to think about,” says Martin. “This is why we launched our Protection Suite – so business owners can address all the risks with a single solution.”

The Suite’s four main components are: endpoint security (installs on PCs and servers); anti-spam technology for email servers (there’s also a cloud option); automated desktop and laptop backup (to an internal server or URL); and the same safeguard functionality for servers. In short, this product thinks of everything, so you don’t have to. Furthermore, says Martin, “it makes it so simple for SMBs to recover data in the event of a systems failure or loss of device”.
Incidentally, hardware and disk failure are the biggest causes of data loss – this was another clear message from Symantec’s Australian report. 15 percent of businesses had lost data in the past 12 months that they couldn’t recover and five percent didn’t know if they had lost data at all. The primary reasons for the loss were hardware failure or systems corruption at 58 percent; lost or stolen devices (12 percent); virus infection (11 percent); and physical break-ins and natural disasters at seven percent each.
Social networks are the latest security threats for business owners. 31 percent of the survey respondents saw it that way – and the number of those unsure about this threat doubled. So there is awareness, it’s just that people don’t fully understand the implications.
The online factor
You can’t talk about data security strategies without also covering data storage management. Today the major talking point on data storage is the outsourcing of backup services to ‘the cloud’. There are many benefits. To quote local service provider Worry Free Online Backups (
www.worryfree.co.nz) benefits include their ease of desktop installation and management. Many backup services are automated – so it’s a case of just setting and forgetting – backup frequency can be every half-hour if that’s what you need. There’re no capital costs either – no tapes, drives or backup software. It takes the worry and tedious repetition out of the equation.
Datamine’s Cliff Ashford is not completely sold on the concept, but acknowledges that the automated nature of these services removes the responsibility for backups from staff.
He warns that online storage and backup doesn’t solve data security issues – it needs to be backed by solid security processes outlined earlier.
One company that is a global leader in cloud based backups is Symantec. Steve Martin says it has 12 million customers worldwide, backing up some 55PB (one petabyte is the equivalent of 1000 terabytes) of data. He’s in no doubt that data storage is heading to the cloud. When SOHO users buy Norton 360 they automatically get 2GB of cloud-based backup, which they can choose to expand. Business users are following suit.
However, the challenge still remains, says Martin, when a server dies and multiple terabytes of data have to be brought back from the cloud. The answer may lie in virtual platforms.
As the next level of broadband width becomes accessible, data services will be delivered in their entirety from the cloud, he predicts.
EMC’s Robin Whitaker views the outsourcing of data services simply as entrusting the job to a specialist, while you focus on what’s core to your business.
He says key questions IT managers should ask themselves regarding outsourcing include: what are the business drivers and can we manage the lifecycle of our information? How are we managing the growth in data? How is it managed at branch level, and should we be centralising data storage?
Whitaker’s ‘pluses’ of outsourcing include cost savings and economy of scale; the capacity to handle peak workloads; the leveraging of data recovery services; the assurance of service level agreements; and the ability to handle growth.
The minuses? Just who has control and ownership of the information, asks Whitaker, recommending that it may be more comfortable to retain certain critical business data in house. He also cautions on the use of overseas-based cloud services, where there may be some conflict over whose laws govern what they can do with your data.
Whitaker sees consolidation combined with virtualisation as the key to improving data management efficiency and having the “right data at the right place at the right time”.
Remembering that 80 percent of data security threats are internal, EMC offers businesses a range of ‘data leakage prevention’ tools that can monitor and analyse data flow within an organisation. This software sits inside the firewall monitoring the network, and on end devices can allow/disallow certain functions – for example, prevent credit card information being sent to an email address.
The final word comes from Datamine’s Ashford, who says outsourcing data security and management can help protect intellectual property.
“When all of your data is stored and managed by members of your organisation, this IP may be jeopardised should a staff member move on; how do you ensure she/he will not divulge or act on sensitive information that they can access? And if your IT specialist suddenly became ill, would anyone know how to get the information out of your current system?”
There is also the issue of clutter he says. With so much information, from so many sources, how do you sort through the deluge and provide the right access and reporting to the required business units?
“Specialist data management providers have the infrastructure to handle and house huge volumes of information securely and the ability to integrate varying sources for a single customer view. They will be skilled in sorting through a myriad of information and making sure that different areas of your business are getting the full benefits from, and use of, your company’s most precious asset.”
Glenn Baker is editor of NZBusiness.


Publishing Information
Related Articles
Why we must sell less for more
Why we must sell less for more
Brian Richards, a leading brand strategist and founder of award-winning consultancy...
Waste not, want not
Waste not, want not
Raglan’s Xtreme Zero Waste is a great example of the environmental outcomes that can be achieved...
Steve Mair
Set sail for the ideal Central City destination
The Royal New Zealand Yacht Squadron offers a host of attractive benefits for...