Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
With the UK braced for a winter of possible postal strikes, we are urging small businesses considering paying bills online for the first time to stay safe and be aware of the potential dangers. Taking advantage of online banking is the obvious way to avoid being hit by late payment surcharges caused by cheques caught in the postal strikes. Yet for those more used to traditional bill payment methods, the world of online banking may seem daunting and full of potential pitfalls.
We recommend the following tips to ensure SMBs are confident they are browsing the web safely and that the postal strike poses no problems for those looking to make their regular payments with no interruptions:
If you use online banking, never do so on a public or shared computer or on a wireless network lacking security features such as a firewall. You might risk a hacker capturing your account and login information and stealing your money. Always type the Web address of your bank into the Web browser, never click a link from an email.
Online bill payment
Begin any online payment session by making sure your security software is turned on, and is updated.
Use only known and reputable sites, as using an unknown web site can be risky. One way to increase safety is to make sure any page where you enter data such as your address or credit card number uses encryption. You can tell if it uses encryption by the Web address, which will start with “https.” Another thing to look for is the padlock icon at the bottom of the browser frame, which is intended to indicate that the Web site you are visiting uses encryption to protect your communications. Check company credit card statements regularly for unexpected transactions.
When paying bills always type the address into the browser rather than following links from email or from search engines. Criminals are now “poisoning” search engine results and leading unsuspecting people to fake sites. You can avoid clicking through to potentially unscrupulous websites by using an online security product with web safety warnings.
Ross Walker, Director Small Business, Symantec
Small businesses are being warned of the dangers posed by irresponsible disposal of sensitive materials. A survey, commissioned by Fellowes launched to coincide with National Identity Fraud Prevention Week highlighted that 79 percent of businesses are risking corporate identity fraud by not destroying sensitive material they throw away or recycle.
And it’s not just hard copy material that is putting small businesses at risk. Data stored on computers and PDA’s can also leave SMBs vulnerable to corporate ID fraud if IT security is not up to scratch. A recent survey from Symantec found one in four SMBs have suffered security breaches, with 13 percent losing money as a result.
People tend to associate ID fraud as a risk to themselves as individuals, but it can impact businesses, and SMBs are most at risk. Negating this risk needn’t be a daunting task, in many cases simple processes like regularly updating security software, firewalls and passwords is enough and doesn’t require deep technical knowledge or dedicated IT staff. However, it’s imperative these organisations understand how to take simple steps to protect themselves and limit any potential harm.
Recommended steps for SMB’s:
- Put in place a security solution that is designed for businesses and will keep your critical information safe wherever it is used or stored (laptops, desktops, mobile devices, servers, in email, over the network, and in storage devices)
- Ensure you have effective and accurate anti-spam protection. There was a 192 percent increase in spam across the internet from 119.6 billion messages in 2007 to 349.6 billion in 2008 and tricksters are getting more creative
- Stay informed: Several companies publish reports that help define the threat landscape for SMBs.
- Have good reliable backup in place, and keep a spare copy in a secure place away from the office.
It is interesting how some companies define an acceptable disaster recovery strategy. I met with a bank in Saudi Arabia recently who explained to me that they need to implement a complete DR plan in the next 4 months (!) from scratch. When I asked them to describe what needed to be implemented (ie. their business goals), it turned out that “acceptable DR” to them was basically making sure that their critical data was in at least two places at all times..
Servers ??.. Applications ??.. People ??.. “Nope, we don’t need to worry about any of that right now”..
Quite how this type of solution is going to help in the event of a disaster remains a mystery.. Governance from on high only has a positive effect if it is well thought out in the first place !
A year after the UK’s worst floods on record, it is clear that businesses, as well as consumers, cannot take potential risks such as natural disasters lightly. In the same week we have seen the Government unveil its National Security Strategy. The news agenda is all about protection and prevention. The question is, has the recession blinded organizations to disaster recovery at a time when it has never been so important? The misconception is that DR should cost the earth, an all encompassing strategy. What it should be seen as is a see-saw, as you spend on DR plans your operational efficiency should benefit. If you are smart you will not be going hell for leather on DR, you will be taking a structured approach, protecting your most crucial assets and tier the rest in order of their mission critical status. This multiple layer approach means that you are protected without breaking the bank. It does however mean you need to make sure you have asked the right questions of your business and are testing regularly!
If disaster strikes and leaves a company’s databases, application servers and web servers out of action, it means a loss of £4,300 an hour. The global results of Symantec’s fifth annual Disaster Recovery survey demonstrates that executive involvement in disaster recovery activities has more than doubled in the past year (up to 67% from 33%) which is great. According to the study, the increase in involvement by executives is likely due to the significant cost of downtime and the importance of IT to business – as proven by the increase in the percentage of applications considered mission critical and their more stringent IT service level requirements.
However, with 93% of companies having to execute on their DR plans, testing has never been such an important issue and it is here where the figures get scary. With the median cost of executing/implementing disaster recovery plans for each downtime incident worldwide standing at $500,000, it is clear that testing has to be a priority, but this year, 35% of respondents reported that they only test their DR plans once a year or less! However, with one in four tests failing, it is clear there is a dramatic need for improvement. Reasons most respondents cited for why organisations they were not testing included:
- Lack of resources in terms of people’s time (48 percent)
- Disruption to employees (44 percent)
- Budget (44 percent)
- Disruption to customers (40 percent)
While the research identifies a significant improvement in terms of executive involvement, shorter recovery times and increased successful testing, we are troubled that some areas – including the impact of testing on customers and the backing up of virtual environments – have not improved or have even worsened. Organizations shouldn’t let DR testing cause significant downtime, especially when there are solutions available to address this.
Apparently, small businesses are more naive than consumers (which must take some doing). A recent study of small businesses reveals that small businesses are not frequently backing up their data. Nary the sound of an earthquake, nor the proverbial dog munching its way through another lame excuse. No this time it is because we’re all too busy. Not having enough time is a leading cause for the lack of back up.
According to the survey up to 50% of small businesses fail to back up their data on a daily basis. Even more alarming is that while 90% of small businesses claim to have a perfectly good policy for daily backing up data – they are just not doing it. Well, half of them do backup but that half spend a considerable amount of time on the actual process of backing up their data. 64% of data creators in small businesses spend a minimum of 15 minutes o0n backup … or 65 hours per year … or nearly 8 working days.
If you are a small business where every person and every moment is critical to your business, any time taken to perform backup operations results in reduced productivity in core areas of the business. There is a strong demand for additional storage by both business and consumers: with a natural need to manage that growing capacity more effectively. This means that data and information management – in other words an organisations’ ability to utilise their data more effectively is critical to business operations. The rate organisations are creating and using data is expanding at an alarming rate so, IT organisations face pressure to accommodate the management of backups without significantly impacting staff productively or staffing levels.
Even though it’s understandable that surprising that small businesses don’t perform daily backup operation and are spending too much on backup systems, it’s hard to believe that companies aren’t aware of the value and ease of up to date backup technologies. If 50% of small businesses are spending upwards $4000 per year on backup operations it is easy to account for the loss of productivity and administration costs. If we accept (which we do) the importance of protecting our data effectively and quickly, then we need to find a simple but powerful backup systems that can automate the task of protecting business data.
What you need is the ability to restore your complete Windows desktop/laptops in minutes, data, systems, the whole lot. Take an image of your laptops or desktops and store in a central or local location. I keep all my laptop images in two places – centrally and on an encrypted portable device (just in case I do something silly when I’m on the road). The whole process can be automated through a simple police based interface … simple and hassle free. Cheap too!
When was the last time you backed up your laptop? Do you know? It’s probably pretty embarrassing when you stop and realise all those things you’ve created could just go walkabout at any time.
Statistically there is a laptop left in every single taxi every month in the major cities of the world … every month, that’s 4,350,000 + missing laptops this year worldwide. It makes you wonder where they’ll end up? Even more worrying you are 22 times more likely to lose your phone than laptop – which makes, err – you work it out – a lot of phones and PDAs going walkies too!.
Although around 70% of the digital universe will be generated by individuals, not businesses … guess who’ll be looking after it? You guessed it; business and Public sector organisations have responsibility for the security, privacy, reliability, storage and compliance of all digital assets … including personal stuff.
And you’re telling me you haven’t backed up your laptop data for how long?
In the consumer world 1/3 of everyone has never bothered to back up anything and only 1 in 4 bother to do a backup regularly. Not only should we be protecting data from leaking (there’s a particularly good book on this “Data Leaks for Dummies” available at all good Amazon stores) out of our organisation and getting into the wrong hands, but we should be backing up our data to ensure we have a good chance of keeping our business running should a laptop get left on a train (as if … ?).
40% of us have lost data at some point … and that statistic is growing. Worldwide consumers and businesses are going to create more digital information this year than in the previous 5,000 years. By the way represents three million times the information in all the books ever written (and currently we are publishing around 3,000 books worldwide – daily). That could also be represented by a stack of books from outside my back door to the Sun and back – 6 times, that’s 93 million miles x 12 =1152 million miles for those who can’t be bothered to work it out, that’s an awful amount of stuff.
So this year your average CIO is focused on delivering business growth, cutting costs, managing complexity. But they are also being relied upon to ensure continuity of business processes (without hiccups).
Information remains our competitive edge, the answer to all our “recession-get-out-prayers. But the growth of information is putting a considerable strain on the IT infrastructures, so we must take steps to make sure we create secure, reliable, scalable and highly available information management infrastructures to handle the increased amounts of information that is needed to be storage and managed in the future.
So back the blooming stuff up!
Even wireless networks depend on a wire of some kind, it might not be attached to your handset or computer, but somewhere along the communication chain there is a wire… and if that wire is severed… well… then there will be an outage. In a storyfrom California earlier this week, sabotage was blamed for the severing of fibre optic cables which resulted in outages for mobile phones, landlines and Internet services. So what – well, companies need to be prepared for every eventuality in their disaster recovery / business continuity planning (DR/BC) and nowadays that has to include communications.
Disasters don’t have to be on-site to effect you and in the case of communication cables can be a relatively long way away and still have an effect. By asking questions to your service provider(s) you will be able to plan for an outage. Could you re-route the main switchboard through a different service, how about email? In the case of your datacentre, is it possible to have multiple Internet service providers, with different access points and cables?
IT is now a critical part of operational risk and as such the scenarios and planning around potential disaster needs to be re-examined. While this was a case of sabotage, more often than not it is a careless contractor digging up the road who severs cables… its better to be prepared for such an occurance than not…
New research from the Business Continuity Institute has shown that overlooking risks costs UK firms around £11 billion. The issue they highlight is one of looking at suppliers, especially in the economic downturn. In essence, would your company survive if your key supplier went out of business?
They have also produced a nice simple survival guide to help weathering the economic downturn. There are 18 self-assessment questions which will make you think through some of the issues – and might even nudge you into reviewing your Disaster Recovery / Business Continuity plans.
Symantec has just released a new piece of research on the state of the datacentre. While much of the report is what you would expect – do more with less and go green, there are a few interesting indicators in there as well.
70% of companies outsource some tasks primarily in order to give IT staff more time to concentrate on other things and to reduce cost. With all the talk of Software as a Service (SaaS) and cloud computing , this really points to it being a reality today and with increasing functionality becoming available, it will only increase.
Training was also seen as being strategic and 80% see their training budgets rising or staying the same over the next two years. This is good news for all – with training, IT staff can remain up-to-date with the rapidly changing technology and increasingly complex IT environments they are having to work in.
Finally, Disaster Recovery (DR) is also in there with only 42% of people thinking their plan was above average, furthermore there were more than 20% who said it needs work. Given how many natural disasters occur and that companies recognise that 25% of outages are from human error, I would have expected that DR would be in better shape. The introduction of new technology doesn’t help when it comes to keeping DR plans up to date, but it does need to be a part of the consideration when looking at new stuff. After all, if it gives business benefit today and you suffer an outage tomorrow, where does that leave your business?