Information overload, data explosion and big data – terms we are now reading about on a daily basis. It’s no secret that the amount of information that businesses are dealing with today is huge, so huge in fact that the actual size is still difficult to grasp. But what does this mean to businesses today and should they be concerned?
Our recent State of Information survey found that an unimaginable 2.2 Zettabytes of information is stored by businesses. To try and put this in context, imagine filling the Empire State building with one page documents – 1,287 times – or getting every grain of sand in the world and multiplying the amount by 300.
And it’s continuing to skyrocket. In fact, over the next year information is expected to grow 67% for enterprises and 178% for SMEs. Yet for most businesses, storing all this data isn’t a concern anymore as it’s easy to increase storage space in the cloud. However, where businesses are still falling short is when it comes to effectively managing and securing all this data. The reality is that bad management is either leading organisations to spend far more than necessary on storing and protecting their information or worse ignoring the problem and not doing either.
A key issue that has been identified is information sprawl – the overwhelming growth of unstructured information that is disorganised, difficult to access and often duplicated elsewhere. Companies believe that nearly half (42%) of their information is duplicated, meaning they are paying to store and manage much more information than they need to.
Information is core to businesses and it’s vital that they get up to speed and understand and classify the data that they need to hold on to so that they end up with a realistic amount to manage and secure. Not all information is equal and businesses need to separate useless data from valuable business information; making sure this is protected accordingly and any unwanted data is deleted.
Managing information well will not only improve efficiency and security but will in turn reduce costs.
It has nothing to do with the size of your inbox or shared drive or whether your competitive edge stems from a specific design blueprint or a secret ingredient. It could be that you have and need to keep reams and reams of customer information or maybe you simply have unique insight into a few key clients. It all amounts to information that defines your business. And it’s clear that companies value it – we know this from the results of Symantec’s recent State of Information survey that shows companies are spending a total of £714 billion[i] a year on storage infrastructure, security, compliance and access[ii].
In fact, the survey revealed that digital information makes up 49 percent of an organisation’s total value so the loss of information is actually worth a lot more to a business – actually it would not be an exaggeration to say that you can’t really put a price on it. It is after all what keeps you in business. One IT manager at a large engineering firm said when asked about the consequences of losing the enterprise’s information: “We would have to fold our operations for at least a couple of years before we’d come back again.”
On average, the survey shows that enterprises spend £25 million on information, while SMEs spend £215,000. However, the cost per employee for SMEs is a lot higher at £2,383, versus £2,140 for enterprise. For example, a typical 50 employee small business spends £119,155 on information management, whereas a typical large enterprise with 2,500 employees would spend £5.3 million.
It’s clear the consequences of losing business information would be disastrous. Respondents in the UK highlighted the impact of data loss to their business including lost customers (48 percent), damage to reputation and brand (36 percent), increased expenses (36 percent) and decreased revenue (35 percent).
When you look at it like this, it’s money well spent.
- Storage infrastructure £201 billion*
- Security £210 billion*
- Compliance £192 billion*
- Access £76 billion*
*rounded to nearest billion, converted from US dollars using the current rate of 1.54.
Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
According to a recent Symantec survey, the majority of small businesses see virtualisation as a big priority for the future. Reduced overheads, more flexibility with IT as well as the ability to scale up and down as and when business needs dictate, are just some of the benefits SMEs cite when asked why they are considering it.
But a hunger for greater productivity and efficiency can’t come at the expense of information security. So while virtualisation can offer small businesses a clear route to bottom line benefits, it can also expose them to new risks.
As a result, any small business looking to take advantage of a virtualised IT environment needs to ensure that it is taking a robust approach to security to protect its data, just as it would if it was hosted on on-site servers. Antivirus, disaster recovery and firewalls are as crucial to maintain and deploy on virtual servers as they are anywhere else.
But SMEs needn’t be put off of virtualisation because of potential risks. The following can help the transition to a virtualised environment to be safe and secure:
- Have a clear strategy: Understand what it is you want to achieve from virtualising elements of your IT. Working with an external consultant can give you a fresh perspective on this. Once you’ve properly identified your objectives, you can properly assess what data needs to be protected and put in place a strategy and polices to ensure that data integrity is not jeopardised.
- Deploy the right security solutions: Deploy all of the necessary security software and technology before you begin to make use of your virtual servers. Firewall, antivirus, and endpoint security solutions all need to be factored to create a protective shell around your virtual IT.
- Backup: Having data stored off-site does not mean that it is necessarily safe from threats. Make sure you regularly backup the data stored on your virtual servers and have in place a disaster recovery solution that can be deployed, should the worst happen.
You may have seen last month that I took part in a Twitter debate, hosted by Real Business Magazine, along with UK entrepreneur James Caan. The hour long debate, which went under the hashtag #smbrisk, brought together the small business community, industry experts and even a candidate from this year’s ‘The Apprentice’, all engaging in a debate around the risk-taking nature of entrepreneurs. As organisations of all sizes look to ride out economic turbulence, we wanted to discuss why it’s so important that small businesses are helped to better understand and calculate the security risks to their information; what risks they are taking, and how they can minimise the associated threats?
We had a great response from the Twittersphere, with around 85 people getting stuck into the debate, generating nearly 300 tweets. The debate examined a wide variety of topics, from Government support for small businesses, and the importance of protecting business-critical information, to the risks posed by remote working, cyberattacks and natural disasters. James gave some great business insight and advice based on own experience as a serial entrepreneur, and I got into some interesting conversations around information management and the importance of having the right technology and business processes in place to protect small businesses.
ITPRO’s interview with James and I, following the Twitter debate, has some useful advice for businesses and SME managers, and the top tips below should help any SME to manage their information safely:
1. Know what you need to protect: Today, small businesses’ critical information lives both within and beyond the walls of the office on servers, desktops, laptops and mobile devices. Look at where that information is being stored and protect those areas accordingly.
2. Combine policies and technologies: As the number and sophistication of web-based threats continues to rise, small business need to be secured with more than just traditional antivirus technology. Couple polices and education with an integrated solution to protect information wherever it is accessed.
3. Educate your employees: Empower all employees to keep your information safe. Security awareness programmes can help, providing guidelines that enable employees to carefully consider the security implications of their actions. Password management should form a part of this and maintaining strong passwords will help you protect the data stored on a laptop or smartphone if it is lost or stolen. Strong passwords have eight characters or more and use a combination of letters, numbers and symbols (e.g., # $ % ! ?) and should be changed on a regular basis, at least every 90 days.
4. Encrypt your information: Encryption technology converts information to make it unreadable to outsiders, and should be implemented on desktops, laptops, and removable media. With encryption, confidential information is protected from unauthorised access, providing strong security for intellectual property, and customer information.
5. Protect your endpoints: One of the most important yet simple steps to protect your information is implementing comprehensive endpoint protection. Keep the program up to date and take action to remove threats that are caught—ensuring that nothing malicious is passed through the business to customers.
6. Backup valuable data: Back up important information regularly and store extra copies of it off site. Employees should be trained to perform basic back-up tasks unsupervised and systems as well as applications and files should be backed up daily, and tested to make sure it works.
A recent survey by HCL Technologies show nearly half of all UK enterprises (48%) ban access to social media sites. The reason for this was not related to productivity but to concerns about damage to businesses’ reputation from derogatory comments being posted on social networking sites. The point to consider here is whether this is really protecting the company in the way that it is hoped? In the modern world of mobiles and always on connectivity, employees can post in any number of ways, even if they are within the confines of the corporate network.
In reality, smart companies can permit access to social networking sites by taking advantage of the protection in which they have already invested. Traffic to the sites can be scanned for malware, user postings monitored and scandalous or confidential information can be blocked before being posted to the site…and all while providing a motivational tool to employees by allowing access to social media sites. It seems that a more social approach to online interactions is here to stay and an approach that accepts this and deals with it will help organisations to understand and manage risk while also making full use of social media in marketing and customer interactions.
As we head into Christmas party season we can expect that alcohol-fuelled “forgetfulness” will see many work laptops and smartphones left in bars and varying forms of public transport as people raise a glass to celebrate the festive season as well as having survived an incredibly difficult year.
In an increasingly mobile workforce the number of corporate devices with sensitive data on them, such as laptops and smartphones, is growing. In fact, ABI Research recently stated that the number of smartphones shipped this year was 178.3 million.
With that in mind, please be careful that you store your laptops and phones in a safe place before ordering your first tipple.
So course Christmas parties are a time to let your hair down and have fun. However, losing a work laptop or smartphone could leave you with more than just a hangover. If your business doesn’t operate daily back-ups then it may not be able to recover your precious corporate information. The worst case scenario will be if the device has fallen into the wrong hands, as it poses an incredible security risk. A criminal will be able to use the unprotected laptop or smartphone to access very sensitive corporate information – which they could then sell for considerable profit in the black market.
Listed below are 10 of the most common documents a cybercriminal will try to access should your device inadvertently fall into the wrong hands:
1. Your credit card information e.g. credit card number, magnetic stripe information, transaction data
2. Your employee information e.g. employee ID, salary and benefit information, personal health information
3. Sensitive customer data e.g. name, date of birth, national ID number
4. Price lists
5. Design documents
6. Source code
7. M&A contracts
8. High net worth client lists
9. Marketing plans
10. Financial earnings reports (during quiet period)
With this abundance of precious information available on corporate laptops and devices, make sure you take necessary precautions to minimise risk, should they fall into the wrong hands. Firstly both laptops and smartphones should be locked with strong passwords. Also, you shouldn’t forget about physical security – laptops can locked down with cables and Kensington locks and PDAs can be protected in locked cases.
However, should you fall victim, follow this guide and also informing your IT manager immediately, so that the device can be remotely disabled.
With the UK braced for a winter of possible postal strikes, we are urging small businesses considering paying bills online for the first time to stay safe and be aware of the potential dangers. Taking advantage of online banking is the obvious way to avoid being hit by late payment surcharges caused by cheques caught in the postal strikes. Yet for those more used to traditional bill payment methods, the world of online banking may seem daunting and full of potential pitfalls.
We recommend the following tips to ensure SMBs are confident they are browsing the web safely and that the postal strike poses no problems for those looking to make their regular payments with no interruptions:
If you use online banking, never do so on a public or shared computer or on a wireless network lacking security features such as a firewall. You might risk a hacker capturing your account and login information and stealing your money. Always type the Web address of your bank into the Web browser, never click a link from an email.
Online bill payment
Begin any online payment session by making sure your security software is turned on, and is updated.
Use only known and reputable sites, as using an unknown web site can be risky. One way to increase safety is to make sure any page where you enter data such as your address or credit card number uses encryption. You can tell if it uses encryption by the Web address, which will start with “https.” Another thing to look for is the padlock icon at the bottom of the browser frame, which is intended to indicate that the Web site you are visiting uses encryption to protect your communications. Check company credit card statements regularly for unexpected transactions.
When paying bills always type the address into the browser rather than following links from email or from search engines. Criminals are now “poisoning” search engine results and leading unsuspecting people to fake sites. You can avoid clicking through to potentially unscrupulous websites by using an online security product with web safety warnings.
Ross Walker, Director Small Business, Symantec
Small businesses are being warned of the dangers posed by irresponsible disposal of sensitive materials. A survey, commissioned by Fellowes launched to coincide with National Identity Fraud Prevention Week highlighted that 79 percent of businesses are risking corporate identity fraud by not destroying sensitive material they throw away or recycle.
And it’s not just hard copy material that is putting small businesses at risk. Data stored on computers and PDA’s can also leave SMBs vulnerable to corporate ID fraud if IT security is not up to scratch. A recent survey from Symantec found one in four SMBs have suffered security breaches, with 13 percent losing money as a result.
People tend to associate ID fraud as a risk to themselves as individuals, but it can impact businesses, and SMBs are most at risk. Negating this risk needn’t be a daunting task, in many cases simple processes like regularly updating security software, firewalls and passwords is enough and doesn’t require deep technical knowledge or dedicated IT staff. However, it’s imperative these organisations understand how to take simple steps to protect themselves and limit any potential harm.
Recommended steps for SMB’s:
- Put in place a security solution that is designed for businesses and will keep your critical information safe wherever it is used or stored (laptops, desktops, mobile devices, servers, in email, over the network, and in storage devices)
- Ensure you have effective and accurate anti-spam protection. There was a 192 percent increase in spam across the internet from 119.6 billion messages in 2007 to 349.6 billion in 2008 and tricksters are getting more creative
- Stay informed: Several companies publish reports that help define the threat landscape for SMBs.
- Have good reliable backup in place, and keep a spare copy in a secure place away from the office.