Protecting your information assets
Thanks to cloud computing, storing and managing business data has never been easier or cheaper. So why aren’t all businesses doing it? Bill Bennett offers a guide to data security.
Thanks to cloud computing, storing and managing business data has never been easier or cheaper. So why aren’t all businesses doing it? Bill Bennett offers a guide to data security.
Data is central to modern business. It’s so important for knowledge-based companies that some never fully recover from serious data loss. If your business stores other people’s data, you are also vulnerable: New Zealanders are unforgiving about information leaks.
Even when information isn’t your company’s core business, losing data is disruptive and expensive to fix. Imagine where you’d be if all your bank details, invoices and customer records suddenly disappeared into a black hole.
Securing data is a two-part process. First, you need to minimise the risk of human error or an external attack. Once you have that under control, you need to think about getting things back on an even keel as quickly as possible should disaster strike. A good data security plan will take both into account.
The good news is that storing data safely and managing risks have never been easier or cheaper. Backup software is inexpensive, robust and straightforward to use. Hard drives cost next to nothing. You can, and should, consider making local and remote backups. Cost and difficulty is no longer an excuse for not making multiple copies of key files at various locations so your business can be back on its feet as quickly as possible.
It’s an area where cloud computing and managed services have already proved their mettle: companies using cloud-based tools were back online faster following the Christchurch earthquakes. It’s no accident security service providers reported a rush of enquiries about cloud services immediately following the earthquakes.
Christopher Russell, Australia New Zealand corporate sales manager for security software specialist Symantec.cloud told NZBusiness; “Even a very small business needs to have some kind of security plan in place.”
Yet, amazingly, many New Zealand businesses don’t. In its 2011 SMB Disaster Preparedness survey, Symantec found small businesses the world over are not taking the risks to their data as seriously as they should.
The survey, which included responses from 100 New Zealand companies, found the lack of planning is worse in smaller companies than in medium-sized ones. Overall half had a plan in place. Around one in six companies neither had a plan nor any intention to plan for data disasters.
Symantec said most small businesses don’t take action to prepare for disasters until after they have experienced loss from downtime. It went on to report this lack of preparedness “has significant impact on their customers and their business”.
Many small businesses fail to make regular data backups or protect their data from malicious attacks. Interestingly, Symantec said most of the small businesses with a plan in place have already been through a data loss.
Losing data is a problem for companies everywhere. However, according to John Kendall, Unisys’s security programme director for Australia and New Zealand, local customers are especially unforgiving when companies suffer consumer data breaches.
Kendall’s company asked consumers around the world how they would react if a company they did business with leaked data. He said New Zealanders had one of the strongest reactions with 80 percent saying they would stop dealing with the company online. A quarter of New Zealanders say they would go as far as halting their offline business as well. Almost half said they would go public telling others about the breach.
Kendall says Australia isn’t far behind, but there’s a particularly strong sense of personal security in New Zealand. The key point here is, if word gets out about poor data security, customers will walk.
As recently as a few years ago, data security was all about protecting local networks. Companies would put metaphorical locks on the doors where data and security risks entered the network and take measures to keep malware and snoops at bay on the inside. This mainly involved anti-virus and other anti-malware software, along with physical or software firewalls. Companies would also find safe and easy ways of backing up data from machines on the network.
Now, thanks to the boom in digital devices such as smartphones and tablet computers, as well as the increased mobility which sees workers log-on from home or other remote locations, an ever larger share of critical data isn’t necessarily on the local network. Suddenly it’s much harder to build a moat around the digital fortress and pull up the drawbridge. Today’s comprehensive data security strategies have to account for a range of mobile devices and multiple entry points.
It would almost be too hard to manage all this if it wasn’t for cloud-based security services. Instead of securing the physical point where data enters and leaves a network, cloud services located on a remote server sit between local networks or devices and the rest of the Internet. A properly configured and operated cloud security service will monitor all the traffic to all of your devices – a similar approach can handle remote backups.
It’s not just about writing cheques. Dealing with devices and security risks is as much about putting policies in place as buying tools or services. At the very least, workers need to know their responsibilities, what’s expected and what the implications of their actions could be.
You may need to consider encrypting data on devices and using products that allow you to wipe data remotely if a gadget is stolen or lost.
Experts also recommend something known as “two-factor authentication”. This is when you need to input both a password and a code that is generated to be typed in at the moment you are logging in. The second code is delivered via a separate device, it could be a text message on a smartphone or you may get it in an audio form as a voice call on a phone. It is extra safe because it means someone would need your computer, your password and your phone to steal data.
In the past companies would make on-site data backups, some would store additional copies of key files at a remote location in case of a site-wide disaster. Symantec.cloud’s Russell says this is exactly what happened last year when most of Brisbane was flooded. He says half of the city’s mail servers were underwater. This meant many companies were out of action for days – some lost all their historic data. However, he said workers for companies signed to Symantec’s email continuity.cloud service were able to log-on to Symantec’s remote servers via a web page and carry on using email as normal. He said they could connect from home or from iPhones, iPads and other mobile devices.
While it’s worth pointing out that companies using web-based email services such as Gmail have the same continuity in a disaster, the important point is that decentralisation reduces the chance of catastrophic loss.
Cloud computing may be relatively new, but it has already changed the face of data security. There are cloud services to protect your systems against risks and cloud storage services to manage backups and restoring systems. Christopher Russell says cloud services mean even the smallest company can adopt what he calls an “enterprise grade security posture”.
“By signing with a cloud service on a per-user basis you can leverage off a partner with high levels of security and skilled staff on hand to manage it.” He says partners can now provide all the components of a data security system, and recommends small business operators find a trusted partner with an offering that supports mobile workers and teleworking as well as company networks.
Russell says two other positives of cloud services are that the costs are predictable and are on a per-user basis – this means you know in advance how much it will cost.
Symantec is a major security brand with a global reach. Andrew Johnson, managing director of Manage Direct in Sydney operates a business that wholesales cloud security services to small-scale value-added resellers and computer support companies across Australia and New Zealand. He says his partners generally sell cloud security services to small businesses as part of a broader mix of managed services. In effect these arrangements see companies hire virtual CIOs (chief information officers) who then take responsibility to make sure systems work smoothly.
Johnson says one overlooked point about a good data security service is that the end-users don’t see anything. “They won’t see junk mails or viruses if they’re using our mail filtering.” He says his company’s MPaware service sits in the background until you need to check or find something.
Unisyss Kendall says managed services are especially appropriate for smaller businesses. “If you’re running on a lean staff, you don’t have the resources to search through security logs.” He says security requires a number of specialist skills and it is unlikely small outfits will have the kind of expertise a managed service can offer.
Some businesses can’t afford to stop even after a major disaster. For them there’s the data security ‘Full Monty’: comprehensive business continuity.
Auckland-based Plan-b promises its customers they can be back up and running with little interruption and minimal loss after a crisis.
When the Christchurch earthquake damaged the city centre in September 2010, Ryman Healthcare’s offices were inaccessible. A serious aftershock saw the company phone Plan-b and have its complete head office function replicated.
“We didn’t miss one payroll to staff, we didn’t miss one payment to suppliers and we kept up-to-date with everything,” recalls Ryman Healthcare CFO Gordon MacLeod. “We even managed to get our normal set of board papers out the door on time”.
Lastly, as Symantec’s Russell points out, data security is like taking out an insurance policy. You hope you never need it and you may even have second thoughts when paying the bills, but a small annual fee is nothing compared with the cost of putting a business back together again.
Bill Bennett is an Auckland-based freelance IT writer.
Email [email protected]