Posted on Thu, Sep 03, 2009
The vital first step toward data loss prevention is to develop a comprehensive understanding and inventory of the various types of sensitive data that are present within the organization, as well as the policies which are needed to control and enforce how that data can be distributed and shared. To accomplish this, businesses must review the extent to which their companies or agencies are impacted by
regulatory compliance, intellectual property protection and appropriate use enforcement.
It’s critical to have a thorough knowledge of precisely how regulations apply to the overall organization, as well as to the individual users, departments and remote offices. For instance, an organization may need a solution where content is scanned and automatically encrypted to protect private information. Viewing compliance requirements in more detail makes it easier to define requirements and manage solutions.
Subsequent to determining relevant areas where effective data loss prevention strategies are needed to protect sensitive data, organizations should then consider the effect of data loss prevention on workflow. This ensures that any solution implemented is designed to be dynamic and flexible as workflow and processes shift. Lastly, a critical factor in a successful data loss prevention plan is to make sure there is executive involvement. Achieve this by identifying a champion within the “C-suite” who can provide the credibility and buy-in necessary to implement an enterprise-wide program.
Posted on Thu, Aug 20, 2009
Rising government mandates and intellectual property (IP) protection are the major driving forces of the high standards revolving around data loss prevention. In today’s vulnerable economy, spending priority should be around enhanced data security. Increased regulatory compliance requirements, layoffs and job insecurity have intensified concerns about employees sabotaging or running away with sensitive business information.
Most organizations fall under one or more state, federal or international regulatory mandates. Compliance standards such as those within the Heath Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley Act (GLB) and Sarbanes-Oxley (SOX) are requiring corporations to take measures to safeguard private and personally-identifiable information. There are currently thirty-five states within the U.S. which mandate companies attacked by data loss to notify individuals in the event that their personally identifiable information is breached.
Data loss prevention is not only of significant interest to health care and financial industries, but also for nearly all companies that conduct business worldwide. Organizations face several obstacles that make it difficult for them to maintain regulatory compliance. Mistakes such as sending an email which contains unencrypted credit card data, or distributing a report revealing employee or patient medical information with an unauthorized person can be considered regulatory violations.
A down economy generates a more competitive business environment, making IP protection detrimental for all companies. This is one of the most important assets belonging to any business and serves as a key motivating factor for data loss prevention efforts. With there being so many forms of documented data that could be considered a trade secret (such as data pricing, marketing strategy plans and customer information), company insiders may not be fully aware they are handling IP. It is therefore the company’s responsibility to take the necessary steps to protect critical IP. This begins with an effective data protection and disaster recovery plan.
Fact: U.S. businesses are losing approximately $250 billion annually from trade secret theft (United States Trade Representative).
Posted on Thu, May 28, 2009
There are a lot of companies that back up data critical to their business operations using media such as tapes, DVDs and portable hard drives. Most store their data on-site while not taking the measures to test their recovery processes to ensure that their backups have been performing properly. Hurricane season starts June 1st. Imagine the consequences of a major natural disaster like Hurricane Katrina, which caused catastrophic damage to the Gulf Coast of Louisiana, Alabama and Mississippi. What is the likelihood that those companies using in-house portable storage solutions will be able to recover all of their data? Gartner estimates that a single data loss incident can cost a company an average of $10,000. However, this amount could easily go up depending on the critical nature of the data that has been lost. As
government regulations become stricter and the technology world grows exponentially,
offsite data backup has become the less costly and most secure alternative in the long run. The increased need to store and retain mission-critical information have raised the probable costs of data loss substantially. When companies employee a
remote backup company, they do away with the top causes of data loss, which are human error and media failure.
Companies should consider the following factors when analyzing the cost of a data loss disaster in comparison to the cost of implementing an offsite data backup solution to take care of data storage and recovery:
- Cost of company downtime
- Cost to restart in the event the business shuts down after an initial loss
- Cost of lost business and customer retention and acquisition
- Cost to rebuild customer information accumulated over the years
- Potential costs of litigation if the lost data poses a risk for the company to face legal liabilities
Businesses that choose to continue to use traditional on-site storage methods are risking their reputation and long-term business viability. Regardless of the size of the incident, data loss threats are inevitable. Businesses must ask themselves how prepared they will be once a disaster happens.
Posted on Wed, May 20, 2009
Cloud computing has gained popularity over the past two years. The concept incorporates software as a service (SaaS) as well as other technology trends that have the common theme of reliance on the Internet for satisfying the data storage needs of the user. However, cloud storage providers such as Carbonite, Amazon S3 and Google App Engine have recently been troubled with recurrent shutdowns and losses of customer data. The problems experienced by these companies have made some question as to whether cloud storage poses a data security risk, specifically due to users depending on unseen infrastructures holding massive data vaults that can attract the interest of hackers and electronic terrorists.
Unlike a reliable remote backup company that stores data at an offsite data vault, the distinctive attributes of cloud storage require risk assessments in areas such as data recovery, as well as privacy and legal issues such as e-discovery, regulatory compliance and auditing. In contrast to using a secure remote backup service provider, below are a few precautions Gartner gives when considering a cloud storage service provider.
Since cloud services bypass the physical, logical and personnel controls IT organizations exert over in-house programs, sensitive data processed outside the enterprise brings with it an inherent level of risk.
Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a cloud service provider. Remote backup service providers are subjected to security certifications.
When using cloud services, the exact location of where the company’s data is hosted is unknown. In fact, the data may be stored in an unknown country.
Data is in a shared environment alongside data from other customers, posing an encryption risk which could make data totally unusable.
Many cloud service providers lack the ability to replicate data and application infrastructure across multiple sites, making the stored data vulnerable to a total failure in the event of a disaster. The cloud service provider’s capability to do a complete restoration is imperative in the case of a catastrophe.
Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are difficult to investigate because logging and data for multiple customers may be co-located and spread across an ever-changing set of hosts and data centers.
In the event that the cloud service provider goes out of business or gets acquired by a larger company, make sure the provider is able to get the data back in a format into which a replacement application can be imported.
Although there is no such thing as 100% foolproof backup, partnering with a trusted and secure data backup service company will provide a higher level of security to store all mission-critical and regulatory compliant data. If contemplating on storing in the clouds, consider the factors mentioned in this article.