Best Practices for Protecting Critical Business Data
Data Overload: A Fact of Business
Information abounds. Technology, globalization and a heightened regulatory environment are all helping to produce growing numbers of boxes and bytes of information. Companies once only needed to worry about their data center, or a centralized location of their vital business records. Now, they must account for remote severs, desktop PCs, laptops and handheld computers, all of which might contain customer phone numbers, a transaction log, or even details about a new product.
Protecting this information is critical to a company's success and to defending it from unforeseen disaster. The key for any organization - regardless of its size or the industry in which it plays - is to implement a data protection program that mitigates business risks, reduces costs, increases compliance, and helps improve overall business service levels.
Managing Cost and Compliance
When data is not properly protected, businesses leave themselves vulnerable to more than just the potential for data loss. Remaining unprotected could cost companies money, either in the form of "hard" costs, like fines levied for non-compliance, or "soft" costs in missed business opportunities. An effective defense strategy can minimize these costs by ensuring data is well organized and readily available in a way that optimizes business objectives.
Increased cost is not the only concern. Businesses today must comply with a growing number of government and industry-specific regulations. For example, organizations handling medical information must adhere to the Health Insurance Portability and Accountability Act (HIPAA), financial organizations must address Security and Exchange Commissions (SEC) 17a-4 rule requirements and organizations of every industry are bound by Sarbanes-Oxley (SOX).
Effective Data Protection and Recovery Strategy
The reason for backing up data is to be able to recover that data in the event of a disaster, failure, or loss. An effective strategy should focus on minimizing risk to data by getting it off-site, offline and out-of-reach.
Doing this keeps data secure and prevents it from falling into the wrong hands, which has become a large issue for both centralized and decentralized information. Backing up and protecting data also supports specific compliance objectives for different data types and different industries. Lastly, the strategy needs to encompass all critical data to support both centralized and distributed environments.
More and more companies utilize a mobile and remote workforce, creating a greater geographic dispersion of data. It is not only imperative to understand where all the critical and sensitive information resides, but to make sure it is backed up consistently and securely for a timely recovery.
Data availability is a key issue today. Many businesses demand 99.9999% uptime, or close to it. In other words, they require that users - and business applications - have access to critical information around the clock. In this environment, unplanned data outages are not an option. A solid data protection strategy (like one that provides RaaS disaster recovery options) ensures accessibility and availability of that data whenever and wherever it is needed, to get the business running again.
Protecting Back-up Data
Implementing a secure data protection strategy requires planning and preparation. Getting started begins with developing the strategic policies concerning what data needs to be protected and then identifying that data and any copies of it within the enterprise storage environment.
The next step is selecting the most secure method for protecting the most critical data. This could mean electronic vaulting or data encryption. With any approach, the management process around secure data protection needs to be addressed. The standard operating procedures governing security of data at rest must contain a metrics base that tracks not only completion and compliance, but also the logistics management of both the physical data container and most importantly, the encryption key itself.
Finally, everyone who manages, administers or operates IT infrastructure needs to become security conscious. Data protection security is as much a culture of awareness as it is a corporate policy directive. To truly protect the organization's critical data, continuous focus on culture, practice and control is imperative to a successful, secure data protection strategy.
Develop a Data Protection and Recovery Program
When developing a program, adopt a multi-layered approach for the data and storage networks:
- Authentication: Apply multi-level authentication techniques
- Authorization: Enforce privileges based on roles and responsibilities
- Encryption: All sensitive data should be encrypted when it is stored or copied
- Auditing: Logs of administrative operations by users should be maintained for traceability and accountability
Relying on a single copy of a file is never a good idea. A good practice is to perform nightly backups onto removable media and then ship those tapes off-site with a trusted third-party so they are protected and available for recovery in the event of a disaster. Getting the media off-site and into a secure facility will also protect it from unauthorized access and potential tampering.
Companies should employ a tight end-to-end chain of custody to know the location of their backup media at all times to ensure security. Removable media like backup tapes should be affixed with barcodes and placed in locked containers during transportation. Barcodes enable the media to be scanned in and out of the company as well as the facility where it is stored. This also allows companies to generate daily reports for media being sent off-site and those scheduled for return.
More and more, business data resides at remote sites, on desktop PCs and on laptops-it is critical to backup and protect this data. Most remote sites do not have a dedicated IT staff, leaving the backup process full of holes because it does not happen regularly and is typically incomplete. These issues leave data vulnerable to unauthorized users, theft and loss. To protect information on employees' computers, consider technologies like electronic vaulting, which provide a secure and automated solution to backing up and protecting distributed data.
Lastly, once media reaches a point of uselessness, that media must be properly destroyed. This includes scrambling, de-gauzing and even pulverization. Destruction is best performed by a third party that can provide a certificate of destruction, as many state and federal statutes and regulations require proper handling and disposal of records that contain personal information. However, destroying records that could be requested as part of a legal action against a company poses major risks to the organization. Understanding the regulatory and legal risks associated with not preserving "evidence records" is the first step to managing these risks, and is best handled by a third party who is more familiar with these policies.
Implement the Program
With a plan in place, it's time to implement-and communication comes first. Data loss and information theft are business issues, not IT issues. Therefore, every employee-from executives on down-should receive training on the risks and threats of potential data loss. This educational effort should include the investment necessary to defend data against unauthorized access. With this information, corporate officers can make knowledgeable, cost vs. benefit decisions on complete backup data protection.
Manage and Enforce
Implementing a program is only half the battle. Once it is up and running, the company must have a plan for periodically auditing employee compliance and revisiting the plan to ensure it remains current. Policy without adoption is meaningless. Employees must receive regular training and reminders of their role so that it becomes second nature for them. And the best-practice approach maintains that the company budgets for program maintenance, testing and continual enhancement.
Test and Revise
It is important to regularly test both the backup and recovery functions of a program. Simulate various threats and scenarios like device issues, data classification issues and others that could affect the business. Enlist people less familiar with the process to measure plan clarity and to ensure functionality, if primary personnel are unavailable. Lastly, be flexible and change the program as the needs of the business change.
There was a time when companies only needed to worry about a centralized location of their vital business records. Now, they must account for remote severs, desktop PCs, laptops and handheld computers, all of which might contain personal or vital business information.
An effective strategy for protecting this information should focus on minimizing risk to data by getting it off-site, offline and out-of-reach. Additionally, the right plan ensures companies comply with broad and industry-specific regulations for managing that information. The key for any organization - regardless of its size or the industry in which it plays - is to implement a data protection program that mitigates business risks, reduces costs, increases compliance, and helps improve overall business service levels.
About the Author
Fred Engel is Senior Vice President of Engineering and CTO at Iron Mountain Digital.