Defending your data
How secure is your data? Glenn Baker reports on data security issues faced by today’s business owners; the advent of online data management services; and strategies on how to safeguard business information.
|How secure is your data? Glenn Baker reports on data security issues faced by today’s business owners; the advent of online data management services; and strategies on how to safeguard business information.
No business owner wants to go through the trauma of having vital data stolen or compromised.
Today, the likelihood of that happening is much stronger than 20 years ago. Before the Internet, if you’re old enough to remember, data security was all about keeping documents under physical lock and key. Then along came the World Wide Web with its nasty, destructive viruses. Email subsequently became the primary channel exploited by external hackers. Businesses were forced to deploy anti-malware products and exercise extreme caution when opening attachments, in order to mitigate the majority of threats.
In recent years, the threat landscape has altered drastically. The web is still the attack channel of choice for cyber criminals – but they are increasingly stealthy, motivated by profit and highly skilled in web tricks and techniques. A business’s data defence arsenal now requires much more than just anti-malware software.
Data security has become a complex issue for business owners – and to focus on the important messages, we thought it best to talk to some of the leading industry players.
Cliff Ashford, from data mining specialist Datamine, has the title ‘geek’ on his business card and emigrated from the UK 18 months ago – where he worked with a number of large telcos. There, he says, the attitude was often that data security was someone else’s problem.
“It was the blasé approach to things I found most horrifying – such as employees creating a data spreadsheet and then emailing it to someone. Or important data ending up on a laptop, which then gets left on a train. That sort of thing is inexcusable.
“Companies must formulate a security policy and push it to all employees,” he says. “They also need to remember that people will always make mistakes, and accidents happen, so they need a policy that is ‘fault tolerant’.”
Whenever or wherever data is being transferred, there is potential for problems, says Ashford. USB sticks in particular can compromise security, as they are easily misplaced.
“If you absolutely have to move data by hand then a memory stick with embedded encryption such as an Iron Key would be advisable.”
But he says password encryption is weak by definition. “There seems to be a general lack of appreciation and awareness for encryption programmes, with many people regarding it as a ‘black art’.” He recommends PGP (Pretty Good Privacy) encryption, and not just because it’s pretty good.
“PGP is powerful and easy to install – and it can be completely seamless once installed,” explains Ashford. “It can be integrated into all your communications or on a file-by-file basis. It’s especially important when sending attachments via email or if you’re distributing sensitive information.”
Another recommendation is to be selective in any transfer of data. “Only transfer data you need – not all of it. Filter it down so you only have the data you want to work with – if you don’t need addresses, for example, don’t transfer them,” recommends Ashford.
“Track your data – know exactly where it is. Make a register of where files are.”
The ideal data security strategy is one where data resides on servers, not on the desktop, he says. If you’re going to email data, make sure it’s encrypted; and ensure you have a regular backup strategy, and it is regularly tested.
“Get a third party to carry out a security audit. You can’t do it yourself, because there’ll be blind spots you’ll miss.”
For data security to be effective, Ashford adds, it requires everybody in your business to raise their standards, and securing all your ‘pipes’ to suppliers. No excuses.
To make your strategy even more ironclad, you might like to have a strict password policy, he says. He suggests three levels of security, so your password on the most important files is rarely used and can’t be picked up by key loggers.
Despite 2009 being a tough time for world economies, the information economy still managed to boom. The amount of information created and copied in the world grew by 62 percent last year alone, reports Robin Whitaker, country manager for EMC. “And by 2020, the amount of information that needs to be protected, but isn’t protected, will equal the total amount of information created in 2018.”
The point is that the volume of digital information generated by businesses will continue to grow, as will the options for storing and securing it. Policies and guidelines need to be implemented now to deal with this increase.
Whitaker says a major problem is the tendency for people to only think firewalls and perimeters when thinking data security – when 80 percent of threats actually come from inside the firewall.
“Today’s firewalls do a pretty good job of stopping outside threats, it’s people inside your organisation who already have access to your information that you have to be wary of,” he says.
Information carried around on memory sticks is one concern, Whitaker says, and a recent study also highlighted the practice of key executives forwarding emails to their Gmail account so they can read them away from the office. “This is sensitive information, and once it has left the building, the organisation has no control over it.”
Whitaker says another issue is that many organisations have no data lifecycle management. “As data ages it needs to be stored on less critical infrastructure. The infrastructure must be tiered so data can go on a tier to match its importance.”
He is staggered that many large organisations still use “1960s technology” for their main disaster recovery. He is, of course, referring to tape. While the technology has improved since the 60s, Whitaker is still concerned at the reliance on it, despite its cost and its limitations on access. “It can take hours, days, even months to recover data.
“There is also a lot of duplication happening with tape – and that adds significantly to costs.”
Whitaker says a modern data backup strategy should see data stored online, data that’s easily transferred, and data management that alleviates all the issues traditionally associated with tape.
He says relatively new de-duplication technology makes life much easier too.
Cyber threats rising
In June, Symantec released the results of its survey on security trends and behaviours of SMBs in Australia. It revealed that 56 percent of respondents had been affected by a cyber threat in 2009 – up from 46 percent in 2008. New Zealand figures are expected to mirror this.
Symantec attributes the increase to the growing volume and sophistication of cybercrime attacks, smaller IT budgets and the reduction in respondents with policies to guide staff on safe Internet security practices – that’s a real worry.
Steve Martin, director SMB, Pacific region for Symantec, believes that small business owners in particular struggle because they have so much on their plate just running the business. They often rely on external resellers or someone with limited IT knowledge to advise them on security matters.
“Data security technology can be complex and there are so many risks and exposures to think about,” says Martin. “This is why we launched our Protection Suite – so business owners can address all the risks with a single solution.”
The Suite’s four main components are: endpoint security (installs on PCs and servers); anti-spam technology for email servers (there’s also a cloud option); automated desktop and laptop backup (to an internal server or URL); and the same safeguard functionality for servers. In short, this product thinks of everything, so you don’t have to. Furthermore, says Martin, “it makes it so simple for SMBs to recover data in the event of a systems failure or loss of device”.