Is data security a business continuity issue?

A couple of weeks ago I was asked to present at the Business Continuity Institutes regional forum in Liverpool, the aim of the presentation me and my colleague gave was to ask the question;

Do you consider data security as part of your business continuity plan?

Surely it is isn’t it?

But you may be surprised at just how many people don’t believe it is. With IT BCP, we look at the big problems and large incidents, the complete failure of a system, the loss of a computer room or the loss of a building, however like with so many things in IT, it’s the little things that can get you and these little things sometimes slip the net.

It’s those perceived “little things” that we wanted to look at with the audience and share why in our opinion data security should be a significant part of your IT continuity plans.

Why The misconception?

Why don’t people believe that data security plays a part?

In many cases people don’t see how a data security breach impacts business process and delivery of services.

How can it impact? Data loss comes in many forms, to simplify let’s look at two categories, loss of access and leakage.

Loss of access can be caused by corruption or loss of a data device which has the potential to impact a production system and cause a major loss of service. What if we lose a system that affects our ability to produce goods, pay bills, pay staff, obvious business impacts and often we do plan for this type of event.However it’s the second category we often see slip through the BCP net.

The impact of the ever growing problem of loss of data from a business is not so easy to quantify, as often a data loss doesn’t stop our systems, but the impact of losing our critical data has just as much potential for business disruption as any system failure.

Imagine if you lost information on a major deal that meant a competitor won it rather than you? what about if you leaked important business sensitive plans, or payroll information, or plans of layoffs or expansions? all of these things can have huge disruptive potential and that’s before we get into the problems of reputation damage, or financial penalties that may also come our way.

With that scene set we wanted to share some steps that business can take to ensure they maintain robust security and continuity planning to mitigate the risks caused by data loss.

Understand the risk

As with any type of IT continuity planning it’s critical we understand the risk

  • What’s the view of risk?
    • Is it taken seriously?
    • Do we see the need to mitigate against loss?
  • Do we understand where the risks lie?
    • Can we identify potential risks?
    • Where data loss may impact us?
    • How data could be lost?
  • Do we understand the importance of IT in our business?
    • It may sound silly but we’ve all seen those leaders that don’t see the value technology brings. If we don’t understand the value, we’ll never mitigate the risk.
  • Do we understand which bit of IT is important?
    • In many traditional plans we see the protection priorities the wrong way around, with focus on systems, when in reality the primary focus should always be the data, if we have that we have something to recover, without it we have a problem!

Where do we start?

Like any IT project, to successfully meet our end goal we have to understand exactly where we are starting from.

We of course have to do basics, firewalls, anti-virus, anti-spam etc. but we have to look deeper.

The data security risk is much more complex and a model built on external and known threats is destined to fail, in fact the opposite is true, the threat is most likely to be internal. Today we coach our customers that you have to accept that your IT systems are already compromised, with that in mind then we have to think how do we protect our internal assets.

  • Understand your data
    • Do we know where it is?
    • Who has access?
    • What does it contain?
    • How many copies do we have?
    • Do people even look at it?
  • Do we understand our people
    • Does everyone, from top to bottom, understand our data security plans and their links to our BCP?
    • If they do not there is a huge risk of failure as our plans are seen as an inconvenience rather than a critical part of our businesses sustainability.
  • Do we educate our staff?
    • When we deliver a BCP a huge part of its success is based on education of our key stakeholders and data security is no different, do we educate staff to the risks, the mitigation we should take and of course the impact if we don’t?

How do I manage this?

If we’ve now understood why data security is a significant part of our continuity plans the next step is to identify a model to allow us to deal with it, we could;how do i manage

  • IT can deal with it
    • We can rely wholly on manual intervention, a team that looks for potential risks and can deal with them, in a small business that may be just about sustainable, however in reality humans can not keep up with all of the potential data risks occurring at any one time.
  • Get tools in place
    • We can supplement our IT staff with appropriate tools, tools that can spot potential incidents as they occur or spot unusual behaviour in our users, this ability to spot changes from the norm is critical in modern data security.
  • Get help
    • We are seeing as the complexity of data security grows, businesses are concerned of how to keep track of it all. There is no point building plans and tools to address the issue when you don’t have the resource to deal with what you find. Do you employ additional resource to deal with it? Or outsource this help? taking data security as a service.

Summing up

That drew to the end our conversation with this group, to sum up, what did we share?

  • Take on the misconception – data security in our opinion is key to a successful business continuity plan.
  • Understand the risk – do we see what and where the risks to our data is? Do we understand the impact of loss of access to it?
  • Where to start – understand exactly where you are right now. Understand your key data, who has access to it, where it is and what it contains.
  • Managing the problem – Do we have the skills, tools and resources to manage the overall problem.

We these simple steps in place, we think you can greatly enhance a full business continuity plan and ensure that the little things are equally as well covered as the big stuff.

If you’re interested in what the Business Continuity Institute does then check out their website and follow them on twitter @TheBCeye.

If you have any comments on this piece as always you can get me in the usual places, LinkedIN, Twitter and via the usual comments box on this page.

 

Advertisements