Data security: facts and fallacies

There are not many business owners out there today who’d be prepared to run their businesses without adequate insurance cover. Keeping your business data safe and secure is not just about covering yourself for catastrophic events such as earthquakes. There are many other factors to consider, not least of which is the ever-present risk of human error. Glenn Baker looks at some facts and misunderstandings surrounding data security.

There are not many business owners out there today who’d be prepared to run their businesses without adequate insurance cover. But I wonder how many have a data security plan in place and are sticking to it?
If Douglas Sumner’s observations are anything to go by, it would seem that many Kiwi businesses are indeed taking an almost ‘she’ll be right’ approach to the whole subject of data security. Sumner is sales manager of Computer & Network Solutions (CNS) – an Auckland and Christchurch based company that specialises in all facets of business IT support, including end-to-end data security. He’s worked for IT firms in the UK and Australia and believes that New Zealand companies treat the whole issue of data security with kid gloves. Service providers almost have to resort to fear tactics to scare them into taking notice, he says. A lot of this is due to the fact that there’s little understanding of data security threats by these business people. Not only that, they’re being held back on spending in this area by the ongoing economic recession and the need to maintain cashflows. They know they’re vulnerable, but they don’t think they can afford to do anything about it.
“Companies are aware of the importance of data security – but often there are other more pressing priorities to deal with. This attitude is dangerous,” says Sumner. As an example, he knows of one company running both PCs and Apples. “Our audit revealed that there was no effective firewall in place. If this company had been hacked into it would have gone down for sure,” he says. “The alarming thing is, some months after our audit they still haven’t made the necessary data security investment so the business is still just as vulnerable today.
“Our advice is to undergo an audit anyway,” says Sumner. Companies like his can project manage a data security plan over a long period of time – doing a little bit more as client budgets allow.

Backup facilities
Backing up your data can also open up your business to the risk of security breaches. Data Protect founder Mark Hayes knows full well some of the misunderstandings out there specifically relating to data backup and storage – and the online options.
“There is a misperception that taking backup means one should have their data stored in another device or external hard drives. But what people don’t realise is that these devices are always vulnerable to damage, as seen in the recent earthquakes. Therefore, the best practice to protect and ensure data availability in any crisis situation is to back up data online.”
Businesses in Canterbury that had already used online backup services were able to restore/resume their business processes within no time says Hayes.
“Another misperception is that online backup is more expensive and the same advantages can be achieved by backing up data into portable drives or backup machines. What people fail to realise is that this backup is kept in close vicinity or within the city. When disasters like Christchurch strike, having these backups won’t be of any use.”
49 percent of businesses are not sure if their insurance covers data loss, says Hayes. “A typical business insurance policy will not cover data loss; however there are specific policies that will cover any mishap of a devastating nature.
“Also, overseas online backup facilities offer very cheap and sometimes free backup options. Like anything, do your research. These businesses could be a server in someone’s garage. They are cheap for a reason. There’s no security and no telling where your data may end up.”  Business owners have been found short trying to chase failed backups when their main data goes missing, he says.

Cloud-based options: pluses and minuses
Are cloud-based data security and storage options the holy grail for businesses?
Data Protect’s Mark Hayes warns that some cloud-based options offer what are effectively online synching services. However, what they don’t realise is that the synchronization of data is not the same as backing up of data.
“The problem with those services is that they are not automatic and you are required to manually back up the files,” says Hayes. “As opposed to the solution we offer which is automatic and will note any changes you may have made to the file directory. So it takes the human error element out of the equation.”
Well-managed and highly secure cloud-based data security systems will reduce the liability risks of lost data or intellectual property, says Hayes. 
“These facilities known as ‘the cloud’ have already started to take huge chunks out of a market once cornered by traditional tape and analog-based data security systems. With the increase and investment in broadband infrastructure and speed in New Zealand we must take advantage of any and all benefits this [new technology] will bring. 
“Automation has been the natural progression of human development in the age of the cloud. Why risk data security and governance on a system which relies on remembering to back-up? If you are looking at maximising business recovery and continuity then look no further than New Zealand-based cloud facilities.”
Is it the holy grail? “No,” says Hayes. However, he adds that cloud-based data security facilities should form part of a business’s business continuity plan at the very least. 
“But, once again, anyone with a server can claim to be part of the cloud and offer cloud-based services – so there are a lot of things to consider. Security and access to your data should be a priority. In New Zealand tier 3 data centres are a must and should be a minimum requirement for clouds,” he says. “Check, check and check again.”

Of course there are many lessons that can be learnt from the Christchurch experience. A lot of business data was either lost or temporarily inaccessible due to hardware damage or failure – which caused major setbacks for many businesses.
“The recent earthquakes have shown that backing up data to portable disk drives and other storage mediums such as magnetic tapes and compact discs is not enough as these are always vulnerable to damage,” says Hayes. “A good plan is to have both physical and online backup so that should one fail there is a fallback, you can never be too cautious with your business data.
“If we can learn anything from Christchurch it should be ‘be prepared’. New Zealand is a small place, and disaster can and probably will strike.
“Thankfully we had data restored to our clients’ businesses as soon as they were ready to go.”
The feedback Hayes has been getting is that we can expect big growth in the data security market. “The quakes have made people sit up and realise that they can’t run their business if they do not have access to the data and files that drive it. The move away from physical files towards digital will only continue to drive growth.”

Addressing perceptions
Many small businesses may consider catastrophic events such as fire or earthquakes as the biggest risk to their data when, in fact, human error such as system misconfigurations can be their biggest threat.
“Unless you map the types of events that could affect your business to the potential frequency of it happening, you could be wasting a lot of money on securing yourself against something which is highly unlikely to happen,” advises Adrian De Luca, chief technologist for Hitachi Data Systems, Australia and New Zealand, “therefore ignoring a far more likely threat.”
High on the probability list are security breaches, virus attacks, maintenance disruptions and data corruption, followed by hacking, hardware faults, network problems, failed backups, power failures and, at the bottom of the list, natural disasters and terrorism.
The best place to start addressing your data security is by creating a security plan, says CNS’s Douglas Sumner, and never stray outside its boundary. “Partner with a company that can conduct a security audit and provide a total service. One that provides 24-hour remote or on-site data security, and has documentation in place that works.”

Glenn Baker is editor of NZBusiness.