Why, What and How to Protect Sensitive Data

DRI ANZ

To view this article in its original location, please click here.

When talk turns to protecting sensitive data, what do you immediately think of? True, commercially confidential information is one case. A competitor finding out about and blocking a new product strategy can be disastrous for an enterprise. But so can the loss, exposure or theft of data about individuals, such as healthcare data on patients or education information on children and students. Even if regulatory fines don’t drive an organisation into bankruptcy, the reputational damage alone can fatal. For these reasons, it’s worth knowing what kind of information needs to be protected and how responsibilities should be defined for employees.

Governments stipulate that many forms of information that can be used to identify someone must be protected. Depending on where your organisation operates, this may cover:

  • Work. Employment history, security clearance, salary, benefits.
  • Social and Education. Home address, phone number, social security data, biographical data, academic records.
  • Other. Medical records and data pertaining to arrests or criminal investigation.

Correspondingly, all employees have duties to fulfil concerning the protection of data. Whereas the human resources department may be first in line for protecting employee data, sales, service, marketing and technical departments are a natural starting point for customer or patient information, and corporate products, plans, strategies and processes. However, sensitive data protection also extends to IT workers responsible for the security of the organisation’s data centres and networks, and to anyone who has access to or who handles sensitive data as part of his or her work function. This can mean the entire personnel.

Leading by example, reinforcing awareness and checking regularly for compliance make for an effective three-pronged strategy for data protection. Many protective measures are a matter of common sense, but still need to be followed up. Examples are clearly identifying and securely storing sensitive data, not leaving workstation sessions open and unattended, and immediately notifying management of any data breach. Others include encrypting sensitive information before sending it anywhere, storing such information on secured network drives (not desktop or laptop PCs), and keeping anti-virus software working effectively.

Slow Changes that also Affect Business Continuity

DRI ANZ

To view this article in its original location, please click here.

When the subject of business continuity comes up, there’s a natural tendency to think of events that have an immediate impact. IT server crashes, flash floods, fires and hacker attacks are just some of the examples. While these sudden events can certainly put business continuity planning and management to the test, they are not the only factors that can affect operations. There are many other forces at work whose end-effects can be just as powerful. Looking at what happens in nature can indicate good models to consider in a business environment too.

For example, take the ‘ecological threshold’. This is a phenomenon in which an ecosystem changes due to a relatively small change, but in a way that may make it impossible for the ecosystem to return to its former state. This might be additional pollution in an already polluted lake, or the introduction of a new species of animal that alters the established order and food chain. In a business context, the equivalent is often referred to as a tipping point, where for example a new problem with customer service makes already exasperated clients take their business elsewhere (‘the last straw that breaks the camel’s back’).

Even if a business can persuade such clients to recommence doing business with it, things are unlikely to be the same as before. This ‘hysteresis’, where the path back from disaster is different to the path that led up to it, is also well known in nature. Earthquakes and volcanoes for example can drastically alter landscapes. Plants grow again afterwards, dwellings are rebuilt, but the land surface is altered forever. This however is not necessarily a bad thing (notwithstanding the disruption and danger of the event itself). Enterprises too may find that a ‘business earthquake’ is the opportunity to change things for the better. Good business continuity planning will also allow organisations to be better prepared beforehand, rather than having to scramble to react afterwards.

Disaster Recovery Planning – How Much Do IT Vendors Really Understand?

DRI ANZ

To view this article in its original location, please click here.

There is no shortage of hardware and software products to help enterprises with their IT, but when it comes to disaster recovery planning, vendors may not be the best placed to advise. The most effective DR also means having the right people taking the right actions at the right time, something that transcends the possibilities of machines and automation. Both dimensions, human and machine, need to be taken into account. Conversely, vendor promises that their solution is ‘all you need for DR’ should be taken with a good pinch of salt.

Good disaster recovery planning includes provision for team training. The aims are multiple: avoid disasters where possible; checking that IT routines and solutions remain relevant and operational; and adjust recovery tactics in real time as required in disaster situations. Like information security, in DR advanced people capability and basic technology is often preferable to advanced technology but only basic people capability. People know what the specific objectives are for their organisation and can adapt and apply different solutions accordingly. Vendor disaster recovery offerings offer the potential to help, but are not by themselves a magic bullet that removes the need for the customer organisation to think for itself.

Smart vendors know that their commercial impact will be greater if they can demonstrate to a customer that they understand the specific challenges to be addressed. Working with a vendor that’s on the ball and that relates to your own particular requirements can facilitate the disaster recovery planning process. Delegation of responsibility can however only be done to people who can prove they have your firm’s best interests at heart. Typically, that either means a dedicated team of consultants or your own internal DR task force. So encourage vendors to better comprehend your specific needs. Keep in mind nonetheless that they may not always have had the same benefit of DR training or practical DR experience that you have had.

The Mega-Test of Your Business Continuity You’ve Been Waiting For

DRI ANZ

To view this article in its original location, please click here.

You’ve trained for business continuity challenges. You’ve planned and practised, in case that server crash, flood, fire or earthquake hits your business tomorrow. But all these events are subject to chance. They may or may not happen. Here’s another challenge to business continuity that will certainly happen however, and that is likely to affect a vast number of organisations and enterprises around the world. It’s the end of support by Microsoft for its Windows XP operating system. To understand why this is such a major event, after over 12 years of XP existence, we should start by looking at some of the statistics.

Between one quarter and one third of the world’s desktop computers are estimated to still be running Windows XP. That’s huge. Not only that, but Windows XP has also found its way into other systems as an embedded operating system: ATM networks are just one example. XP’s longevity has been helped by its quality as an operating system (relatively good) and the opinion of users of the Windows Vista OS that followed it (relatively poor). Microsoft has supplied both patches and support up to the current day. When this stops on April 8 of this year (2014) however, users may find themselves exposed to a variety of risks.

The threat from cybercriminals may increase. Hackers may be storing up attacks on XP to unleash them after the end of support in April, when no coordinated response will be available to counter them. Buying support from third parties moving to fill the support void left by Microsoft is one option, although this may become expensive. Upgrading to a later, supported version of the Windows operating system is another. However, Windows 8 isn’t everybody’s favourite either. In short, if you want to know how good your business continuity planning and management is, trying to figure out how to handle XP end-of-support could be the test you’ve been waiting for.