It all started with Heartbleed. I’m sure the 2014 security bug is a distant and unpleasant memory for many, but I always keep it in mind. (Heartbleed was a vulnerability in the “Open SSL” library that could allow hackers to steal information that we all thought was supposed to be safely encrypted). I was working at my private office and reputable sources like the Electronic Frontier Foundation and ArsTechnica noted the “catastrophic” nature of the bug. I downloaded a couple of Heartbleed checkers, and spent two days – no joke – changing my passwords on vulnerable sites. (Nearly half a million secure web servers were said to be vulnerable!)
I find the subject of data security fascinating. I’ve been doing research on the industry since Heartbleed. This basic research has yielded a five-point rundown of how businesses and enterprises can protect their data, using solutions from the quotidian to the esoteric:
1. The essentials
Essential preventive measures should include: firewall; anti-virus; anti-spyware; and two back-ups (physical and cloud-based). One of my friends (and Portland-based IT expert Tim Chalmers) says that if you don’t have your data backed up twice, it must not be important to you. I take Tim’s advice and backup my data using multiple methods. Of course, everyone needs strong passwords (and they should change them every few months). I’m still astounded by how many people use 123abc. The Federal Communications Commission recommends that small businesses train their employees in security methods like keeping customer data secure and only sending encrypted e-mails.
2. Investment in information security pays long-term dividends
Digital Guardian polled numerous security experts on, “The biggest mistakes companies make with data security.” Aside from training employees, a recurrent theme is resource allocation for IT security. For example, Chris Tonkinson of Forge Software notes,”the tension between security and convenience always breaks favoring convenience.” Some ideas in the article include security auditing for all components (not just critical information); prevention and recovery services; and carefully vetting security vendor credentials.
3. Hybrids are the current normal
One of the leaders in the disaster recovery space is Sungard Availability Services. One of their recent blog posts notes that many companies have a mix of “hard” assets like servers, as well as cloud-based backups. The blog post notes that having a mix of different backup solutions helps ensure a successful disaster recovery. However, coordinating hybrid IT assets can be overwhelming for employees tasked with managing them. The blog post compares this with being tasked to create a gourmet meal out of odd ingredients without any direction or instructions. So having an outside provider to help train or manage hybrid IT assets is probably a good idea.
4. Co-location, co-location, co-location
A few months ago, I spoke to Devon Wilson, the President of Corvallis-based IMS, which provides IT services specifically for credit unions. One of the IMS services that made a strong impression on me was co-location. Devon made the highly compelling argument that businesses in areas where disastrous weather events are common have a greater risk of data loss. Securing their data at an offsite facility (like in Corvallis) safeguards their data, giving them peace of mind while they focus on regrouping.
5. Staying current takes effort
As the Heartbleed bug, the breaches at Premera Blue Cross, Home Depot, and Target, all demonstrate, businesses need to put “data security” at the top of their forecasting. Identity thieves and hackers are persistent, and they count on business leaders to get overwhelmed by technical terms (“FIPS 140-2,” “GUI,” “VPN”) and choose the cheapest solution. That’s why many of those polled by Digital Guardian state that most companies will experience a data breach.
Bonus: I wanted to end on a less dour note. Read Andrew Plato’s clever and funny take on information security by using Alec Baldwin’s classic (NSFW!) speech in Glengarry Glen Ross. Plato is the President of Anitian, an information security firm based in the suburbs of Portland, Oregon. Like many others working in information security, he is smart and knowledgeable, but he’s also savvy enough to use accessible metaphors to illustrate complex technical concepts.
How do you handle information security, data backups, and disaster recovery?