Who’s minding your data?

Kiwi business owners have traditionally been sticklers for detail when it comes to securing their businesses. They’ll stop at nothing to ensure that intruders can’t break into their premises – with security grates, bollards, monitored CCTV, patrols by the local security firm, and so on.
So it’s a little puzzling why these same business owners can be somewhat casual about securing their business data – if business data gets compromised, the fallout can be much more devastating than a simple stock theft.
Could it be that they’re not aware of the seriousness of the threats?
“Last year the FBI publically stated that revenues from cyber-crime, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits,” says Guy Coles, VP sales APAC and Japan for Astaro. “This is a staggering statistic that cannot be ignored. The greatest threat to business owners is not taking the threat seriously and doing little or nothing. The concept of ‘I’m just a small business and they won’t come looking for me’ is a farce. Cyber crims don’t care who you are, your money and data is a good as anyone else’s.”
Business owners must wake up to cyber-crime before it’s too late. For many businesses it already is too late. According to Greg Boyle, Trend Micro’s APAC product marketing manager small business and SaaS, the biggest threats to data security are delivered through the Internet. And while 90 percent of companies in the Asia-Pacific region have anti-virus protection – 50 percent have still had their IT systems infected with malware (malicious software).
Forget the ‘good old days’ when people backed up onto floppies, and the only thing to worry about was a straight computer virus. The latest generation of ‘hackers’ steals information to make money, and would rather you didn’t know what was going on with your system.
“Nowadays ‘spear fishing’ or targeted attacks are what it’s about,” says Boyle. “There’s that criminal element constantly trying to gather personal information and then targeting those people to gain further data and potentially more profits.”
He says the lack of controls around the use of social networking sites such as Facebook, Twitter and LinkedIn are particularly alarming. Facebook offers up decent profiles of people and this information can be used to deliver malicious code to other people and actually look like its coming from a trusted source.
What does this have to do with your business data? It could be your staff that are accessing Facebook sites in their lunch break on your system – which puts your data, such as customer and financial information, at risk.
“The best policy,” says Boyle, “is not to put any information on a social networking site that you wouldn’t give to a complete stranger.” But that’s advice many people choose to ignore.

Attitude check
The major roadblock to data security for smaller businesses would seem to be the time factor. Boyle believes the typical small business owner is not IT security savvy and is flat-out trying to run a profitable business. “Spending money to make sure staff are not doing silly things over the Internet is not a top priority. And when there is a security breach and the IT seller or consultant gets involved, often it is too late.”
The attitude amongst business owners, he believes, is ‘yes, it’s important, but I don’t have time to worry about it’. If they understood the risk, perhaps they’d make the time.
Typically, as businesses grow from sole trader status, inadequate security policies or procedures are put in place. What you do online becomes not a matter of policy, but more a spur-of-the-moment decision by an employee, says Boyle.
A 2007 study by the Australian Government on PC security in small businesses revealed that the average data security incident cost the business more than $2000, and 75 percent of businesses surveyed had a security-related incident during the previous 12 months. This could involve losing a laptop, a USB flash-drive (many of which end up at the drycleaners!), prospect list, or having an entire hard-drive crash.
And it’s not just about infection, adds Boyle, it’s about the need to have a whole data protection strategy – and that includes your mobile workforce.
Together with external security threats, there is also a sizeable threat from staff and former employees and unintentional data loss through employee negligence which can have a financial and operational impact on a business, according to Greg Singh, principal security consultant for RSA Security. 
“Research shows six out of 10 employees take company data with them when they leave a business. Securing your data so it can’t be loaded to a data stick or emailed outside the company is a way that your business can manage and mitigate the risk,” he says.
Assess your security needs on what you cannot afford to lose, advises Singh, not on what you can afford. Consider what you have stored and, if the data were lost, what impact it would have on the organisation.
“The good news is you need secure only information that’s valuable on the open market such as financial and customer information – that’s the most sought-after and has the most serious repercussions for your business.
“We advise enlisting an IT specialist to help you locate high-risk data as he or she can deploy analysis software to find your important data. Once you can account for it all, group it and apply a security level – for example, low risk that can sit on a company server or high risk that should be encrypted.”

Addressing security issues
Singh identifies three of the more common security issues that SMEs need to address.
First, how secure are your passwords? How easy would it be for a third party to harvest them? “Consider implementing two factor authentication technology where the password automatically changes every sixty seconds.”
Second, wireless security – digital certificates ensure connectivity is limited to staff and authenticated users.
And thirdly, patches. “Software manufacturers regularly produce patches to stop hackers infiltrating users’ computers. Review your process around the management of patches. Consider who’ll have that responsibility within your business. Consider automating the process or introduce a monitoring system to rate security on the network,” says Singh.
Be proactive, not reactive, on your data security strategy, says ICONZ Group’s Praful Patel. “Largely, SMEs may have no idea how easy and manageable it really is [to protect your business] and that is where talking to their IT provider will be of greatest benefit.
“Breaches to IT security heavily impact on the confidence of consumers,” adds Patel. “This is very detrimental considering the increasing number of businesses that wish to transact online. For those that want to use mobile communications a VPN (Virtual Private Network) should be investigated.
“Data security should not be seen as an IT function but a wider business function; it shouldn’t be viewed as an added expenditure but rather a business initiative.”
Meantime, Trend Micro’s Boyle reminds us that the biggest threat to your data is your employees – either accidental or intentional. Controlling access to the web and getting your policy signed off by staff is vital. He recommends conducting regular audits to check staff awareness levels on security. “Set up a Gmail account and send an email to your staff – so it appears to come from an unknown source, and includes a link. See how many actually click on that link.”
Although it’s still early days, Boyle sees the SaaS/cloud “pay per usage” model as an ideal solution for SMEs email needs. “It takes the burden off your network and your users. 95 percent of email is spam – so if you can block spam before it gets downloaded, you’ll save money, storage costs and processing power.” He says Trend Micro’s IMHS (InterScan Messaging Hosted Security) service has seen 700 percent growth in the last 12 months alone.
SaaS provides scalability, Boyle points out. It’s a constant service that grows with your business. “And if you lose your Internet connection, you don’t lose any messages – they’ll automatically keep feeding into a queue and be delivered when you are back online.”
SaaS maintains continuity of business, he says, and service agreements should provide 100 percent uptime and 100 percent virus protection.

Secure backup & storage
When considering data security holistically it pays to review how, where and who you entrust your data for back-up and storage. One of the most interesting new trends is the emergence of online or ‘cloud’ data storage providers. Just as data in the form of tapes or hard-copies was (and still is) physically transported away from a business’s premises, so too does online and cloud services remove the onus away from the business owner to secure data on-site.
Derek Merdith, MD of firstservis, says storage is one of the most immediate, and apparent, benefits of cloud computing. Internet users already use cloud computing services to store their emails, photos and videos (think Google Mail, flickr and YouTube). He sums up the main reasons why the cloud is so attractive for storage:
• It’s easy. Most services can be accessed from a standard web browser and interface directly with a PC.
• As a consequence, data is freed from the constraints of one device and, if required, shared quickly and securely.
• Economies of scale means the cost per gigabyte of storage is much lower than physical devices.
• It’s better for the environment, because data is stored in fewer locations, in better controlled and monitored data centres.
• It’s more efficient, for example when Gmail gives you 25GB of storage they don’t physically allocate all of that to you, space is allocated dynamically when needed.
• It’s an automatic backup – data in the cloud is replicated and protected against disaster by the very nature of the cloud computing architecture.
Robert Wooler, whose company Data Vault Security is a relatively new player in New Zealand’s online data backup and storage market, believes there are many businesses still without a proper data backup/storage policy. He says companies, and even government agencies, are slowly heading the way of the cloud – “but New Zealand lags behind the rest of the world because we don’t have the same stringent laws regarding backups and keeping company data safe”.
Choosing a cloud-based service partner requires care, says Wooler – citing one major data backup provider in Australia that recently managed to lose thousands of files.
“Data Vault Security utilises a redundant [duplicated] system that covers everything from power supply to backup.”
Selecting a provider is all about trust – get testimonials, look for reputable clients. Is the solution easy to install and operate? Is there local helpdesk support? Are there other security products available from the same provider? Is capacity an issue? And who has access to the security passwords?
“The beauty of an online service is that if you lose your Internet connection, your data is still safe,” says Wooler. “Backups can be pre-timed so that it happens automatically in real-time while you’re working, and as frequently as you like. So if your system crashes, everything’s saved right up to the moment.”

Disaster recovery
What is your strategy to recover or restore your data in a worst case scenario? Have you ever tested your backups?
Unplanned events, such as fire and water damage, even for a short period, can be catastrophic. Overseas data shows that 70 percent of companies that suffer a major data loss will be out of business within 18 months.
This is why more companies are now partnering with business continuity specialists such as Plan-b. Not only does Plan-b have services to store and manage data securely for businesses online, should the worst disaster happen to your business, they have customer facilities and offices in Auckland, Hamilton and Wellington, as well as mobile business recovery units that provide temporary office and nerve centre facilities near your place of business.
Shaun Webber, GM of technical services at Plan-b definitely sees online as the future of data backups and storage. “Technology is shaping our view that data must always be available and downtime is just not acceptable.” He says there are many online backup solutions out there, but not all are cost effective and efficient.
“The two commonly hidden items around these basic solutions is the cost for communications (additional Internet bandwidth typically required) and the significantly reduced restore speed should a company want to restore data, as a significant number [of backup servers] are hosted in the US.” 
“Eventually all data will be available on disk, without the need for tape, but at present and in the near future there will still be a need for tape as it is a reliable, cheap storage solution,” says Webber. “There are a lot of studies, typically by online backup providers, showing that tapes are highly prone to failure. Being a company that has a service that actually recovers entire environments from tape every day we can comment that having a tape that is unreadable is almost unheard of.
“The time it cuts over will be when disk is cheap enough and technology advancements in minimising data storage improve to the point where the cost to store on disk for extended periods is cheaper than tape.” 
Glenn Baker is editor of NZBusiness.