Innovative Visions

You may or may not have noticed that our blog was down for a short time recently and just came back online. It went down when we tried upgrading the backend of the system and it didn’t match up well with the database. However, thanks to a backup of the data (both in a SQL formal and Word docs for each post, which was all then imaged to another disc) we are back up and running… There will be more changes coming to our blog soon so you can be sure there are fresh backups already made in anticipation of the problems we all know happen. Remember, if nothing else, that there is a 100% chance of a disc failing… and the web spreads out from there.

While recently working on a project involving the “soft” costs associated with backing up a company’s data, an IV partner provided me with an excellent collection of statistics pertaining to this subject. I’ve listed it below for your reference and welcome any questions you may have. Of course these numbers fluctuate by a couple of percentage points depending on who you ask, but the point is still made crystal clear… back up your data (preferably not on a PC in your CEO’s basement)!

« 34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.

« 60% of companies that lose their data will shut down within 6 months of the disaster.

« As much as 60% of corporate data resides unprotected on PC desktops and laptops.

« Key causes of data loss:
78% Hardware or System Malfunction
11% Human Error
7% Software Corruption or Program Malfunction
2% Computer Viruses
1% Natural Disasters
1% Other

« 25 percent of users frequently back up digital files, while 85 percent of computer users say they are very concerned about losing important digital data.

« More than 22 percent said backing up information is on their to-do list, but they seldom do it.

« 30 percent of companies report that they still do not have a disaster recovery program in place and two in three companies feel their data backup and disaster recovery plans have significant vulnerabilities.

« 1 in 20-25 notebooks are stolen, broken or destroyed each year.

« Today’s hard drives store 500 times the data stored on the drives of a decade ago. Increasing storage capacities amplify the impact of data loss, making mechanical precision more critical.

« The average failure rate of disk and tape drives is 100% - All drives eventually fail.

« 30% chance that you will have a corrupted file within a one-year time frame.

« More than 50 percent of customers surveyed said their current backup solution does not meet their needs.

I’ve been working a couple of different projects recently which have kept me quite busy. Both involve data storage, but each is handled differently. The primary question at the bottom of both projects is should the client store its data on site or outsource that task? There are going to be positive and negative factors no matter what scenario you pick, so the question you have to ask is: How do we optimize the design for your business model and strategy? Is this model in line with your security policy (please tell me you have one by now)…Also, keep in mind that Congress may finally take a stand on how businesses secure customer data and of course, Symantec’s John Thompson constantly reminds us of its importance.

The old-school method of data storage is to process (with local servers) and back it up to tape on site, then store those tapes off site in a secure location (preferably not the back of your car or CEO’s timeshare, as we’ve stressed before). This is still very effective, but may not satisfy your data availability needs. If you need to find a tape and have it shipped to you, then retrieve that five year old email you needed yesterday, it may not work so well.

As another option, you can outsource your processing, storing and backing up of all of your data off site (i.e. hosted by a trusted, third party and accessible to you at all times). While losing some control, this may be very convenient, but depending on the amount of data we’re talking about, remember that often you will pay monthly, per gig.

As I mentioned, there are obvious pluses and minuses to each scenario. There is also a third option, growing in popularity, which combines these two designs and will leave you with a better solution overall. That is, house your servers on site (managed locally or remotely, doesn’t matter) and host your data internally as well. Then, by partnering with that trusted third party, have them image and store a backup of all data (also called vaulting, but could also be dynamic and real-time) so that in the event of an emergency, hardware/software failure or other “mix-up”, your data is secure and accessible at all times.

This last option has become more and more popular with the reduced cost of disk space and more efficient methods of backing up over the WAN. It enables you to control and manipulate your data locally, but have it housed offsite as well for security and availability. And as EMC’s chief, Joe Tucci, said this week: “You will see EMC playing there.” This speaks directly to the subject, considering EMC is the world’s largest hardware/software storage vendor and it is considering making storage a service.

It happened again. Actually, it happened three months ago and the company (Nationwide) just decided not to report it. What is this again? Oh yeah, during a home break-in three months ago in the U.K., the laptop belonging to an employee of Britain’s largest building society, was stolen with the names and account numbers of 11 million customers on it… 11 million!! Why oh why is this information on that laptop? Are they really that stupid to risk this simple breach in security? I’ve said it over and over again. Please don’t keep your customers’ sensitive information on your laptops or desktops. All of this data should be stored and secured centrally (along with a secure, remote back-up). Not only is this model more efficient, but it’s also secure. That’s the least you could do…

However, most of the outrage and media attention is focused on the amount of time it took to report the theft.

‘”A three-month delay is appalling. People should be able to trust that if a problem has happened they will be told about it straight away.”’

While this lapse in time and judgment is “appalling” it shouldn’t be the major concern in this situation. The CEO of this company was quoted as saying,

“We have tightened up our already high security procedures and this should ensure it couldn’t happen again.”’

Well, why weren’t the proper procedures put in place to start with? He is saying their security procedures were already “tightened”? Come on, Mr. Philip Williamson… Can we really believe that?

As we’re approaching another hurricane season in the Western Hemisphere, it is certainly time to ensure that our disaster planning and recovery procedures are in place. This is a business-critical exercise that should be completed and then tested on an annual basis. However, with the looming threat of another wicked storm season approaching, there’s no time like the present to get this done now!

According to NOAA, the 2006 hurricane season is set to be very active.

“For the 2006 north Atlantic hurricane season, NOAA is predicting 13 to 16 named storms, with eight to 10 becoming hurricanes, of which four to six could become ‘major’ hurricanes of Category 3 strength or higher,” added retired Navy Vice Adm. Conrad C. Lautenbacher, Ph.D., undersecretary of commerce for oceans and atmosphere and NOAA administrator. 

With an average of 11 named storms per year, with six becoming hurricanes, 2006 is set to be more extreme than usual, but not yet defined to be worse than what we saw last year (if you can imagine that).

And if you aren’t located along the Gulf Coast or the Florida peninsula, don’t think that you’re immune. Multiple private, educational and governmental organizations have warned the East Coast of the United States is far overdue for a major hurricane. Here is just one example. Now I’m not one to spread fear unnecessarily among the masses, but there are certain pending events for which we must at least properly prepare.

I’ve seen a number of companies starting to secure their data offsite and create contingency plans for evacuation before a storm and plans for recommencing business afterwards (either in the same location or at a remote site). Some of the very key things you can do to protect your business can be found on the American Red Cross’ website. However, some of the basics are ensuring that your UPS batteries are in working order and have the capability to handle the load should the power fail. Also, ensure that any AC units in server rooms and cabinets are fully functional. There are many options available which allow you to backup your data remotely, over the WAN. How easy would it be to port your phone numbers to an alternative location? Have you even checked? Are your users’ PC’s up, off the floor in case of flooding? Is the data on those PC’s backed up to the server? (This is something that should be done no matter what anyway!)

If you or your department managers aren’t sure about where to start or would like a third party to audit your preparedness with a third set of eyes, please let us know and we’d be happy to lend a hand.

NPR’s Marketplace aired a broadcast on May 2^nd discussing corporations’ security, theft issues and the measures being taken (or not). http://marketplace.publicradio.org/shows/2006/05/02/PM200605024.html The report was fairly thorough in nature, but neglected to expand any more on some of the measures which can be taken to properly secure company and customer data, much less the full costs associated with these thefts.

In the report they discuss the magnitude of this problem:

“About 18,000 Bank of America customers got a memo back in May saying their Social Security numbers were on a laptop stolen out of an employee’s car. That same month a laptop was stolen from a branch of Omega World Travel, containing the credit card info of 80,000 Department of Justice workers. Not to be outdone, Bank of America had another laptop stolen in August. In November, 161,000 Boeing employees were told that a laptop containing their Social Security numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and Young was hit. In March it was Fidelity. As I was writing this paragraph, Boeing called again to say that, since we talked, another laptop was grabbed away from an HR rep at an airport. We’re talking, at least, 14 different companies, three state governmental agencies, five hospitals and nine colleges and universities.”

But they only briefly discuss one of the main issues at hand. Can any company or person ever guarantee sensitive information will not be compromised? Of course not. But there are some very basic steps which can be taken now to seriously impede those trying to capture social security numbers, credit card numbers, health records, etc. From the story, “…(Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School) says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it.”

The ability to store sensitive information on centrally managed (and protected) servers is really quite basic these days; not to mention a critical part of your security policy (one of many great resources with more information is the SANS project: http://www.sans.org/resources/policies/).With secured and encrypted wireless connections, SSL VPN tunnels and the ability to update, store and back up remotely over the WAN, why is there still sensitive information being stored on company/personal laptops or being transported on tapes by anyone other than Wells Fargo?

Marketplace aired a follow-up interview with the CEO of a major healthcare provider on May 11^th. He and his company have won awards for how they’ve dealt with the theft of information; after the fact. They have also lobbied heavily with Congress in order to change the laws by which companies have to adhere in order to notify customers of information theft. “At the moment, Congress is considering a few bills that would require companies to do what McIntyre did: Notify customers in the event of a security breach.” http://marketplace.publicradio.org/shows/2006/05/11/PM200605115.html

But what about prevention? These laws are still vague in nature. Please remember that as a company responsible for the security of your customers’ confidential information you cannot wait and be reactive to this problem. The legal and financial costs are far too great to ignore. This is a problem which has to be dealt with proactively for it to be at least mildly effective.