The statistics are worrying. According to a study done by the University of Texas, slightly over 40% of businesses that experience a catastrophic data loss never reopen and just over 50% of them shut down within as little as two years.

Perhaps surprisingly, most data losses are not caused by hurricanes, floods, and fires. A study from Pepperdine University breaks down causes of data loss from most to least common:

• Hardware failures
• Human errors
• Software corruption
• Theft
• Computer viruses

What can you do to protect your business from these risks?

Hardware failures

To avoid data loss from hardware failures, you must consistently back up your systems and data. You must also consider the hardware you’ll use for your backups. For example, tape backups are known to have a high rate of failure. You’ll want to avoid using them as your backup storage medium. Additionally, you’ll want to have your backup data storage be completely separate from your primary storage.

Human errors

You can’t completely avoid human errors. Even if your business has well thought out policies data policies along with clear instructions for shutting down and/or rebooting systems, your employees cannot be guaranteed to follow the policies perfectly at all times.

The best way to protect your business from these errors and from accidental deletion of files or records is to assume that the errors are going to happen, and back up your data accordingly. Key concepts for these backups are automation and retention. You need to have your backups occur automatically without human intervention. And you need to have retention of data. This means that even if errors are not identified for long periods of time, your data will be available for recovery when the errors are eventually discovered.

Software corruption

Software corruption occurs when software becomes unreadable by your computer. The causes for this can vary, and the results can be subtle and may go undetected for some time. As with human errors, the best way to protect your business from this cause of data loss is to have automated data backups and retention of data in case the errors are not found for a significant time period.

Theft

Theft involves copying data for use by competitors or actually destroying it. Copying data this way can be considered a form of corporate espionage. Our blog post, “Cyber Corporate Espionage,” discusses some of the ways you can protect your business from such attacks.

Actual destruction of data, however, is a different matter. This sort of vandalism is usually committed by a disgruntled or former employee. You can gain some protection against it by having careful policies regarding employee terminations. These should be the same for voluntary or involuntary terminations, and should include promptly disallowing former employees access to your systems. If destruction of data occurs despite your best efforts, automation of data backups and retention of data are once again your most effective ways to recover your data.

Computer viruses

A computer virus is code or a program that is loaded onto a computer without the user’s knowledge and runs against the user’s wishes. Viruses can take over computer memory, destroy data, and can often transmit themselves across systems.

To protect your business against viruses, you must have a firewall and you must install anti-virus software.

Although the risks from data loss are significant, you can take steps to minimize them. Planning for hardware failure, implementing policies to reduce the effect of human error, software corruption, and theft, and protecting your systems from computer viruses are all ways you can protect your business.

More and more businesses and government agencies are considering the cloud as a possible solution to their data storage and backup needs. In general, when businesses talk about “the cloud,” they are referring to a type of computing that involves sharing computing resources, usually via the Internet. For a more in-depth definition of the cloud and a discussion of cloud security issues, you can read our blog post, “When Security in the Cloud Gets in the Way of Work.”

Cloud storage refers to the use of the cloud as a replacement for more traditional kinds of data storage, such as a Network Attached Storage centralized storage device (a server dedicated solely to file sharing). Similarly, cloud backup refers to the use of the cloud as a way to protect data.

Cloud storage and backup offer several advantages.

• Lower costs. Using the cloud means you can avoid paying for the infrastructure you would otherwise need. Administration costs are also drastically reduced.
• Offsite, redundant data storage. Cloud storage is inherently offsite, providing appropriate storage in case of natural disasters. You can also find larger cloud service providers who offer redundant storage of data in multiple servers. This means that if one server goes down, you can still access data from the other servers without adversely impacting your business.
• Reliable and secure backup. Most cloud backup offers data deduplication (a specialized data compression technique for eliminating duplicate copies of data) and compression (a process of reducing file sizes by encoding data information more efficiently), making it both efficient and more secure.
• Scalability. Cloud based data backup allows your business to easily increase storage as its data grows over time, while only charging for the storage you use. You avoid the upfront costs you would otherwise face to add to your data storage infrastructure.
• Easy access to data. Cloud data storage allows teams in widely separate locations to easily share data and files.
• Simple data backup and recovery. For some cases, the cloud makes it easy to automate data backup and to recover data.

Of course, there are also some disadvantages to consider.

• A full initial data backup can be prohibitively time consuming. Further backups are much faster as they should only include new or modified data. If your company’s backups frequently involve large files, it can be more effective to backup your data first to an on-site server and then to the cloud.
• Bandwidth availability may be limited. If so, your backup strategy will need to take into account how much data can actually be backed up daily.
• Dependency on your cloud service provider. If your provider has unexpected issues, you will have no control over fixing those issues, instead having to rely on them.
• Entrusting data to a third party. Naturally, using the cloud means you are entrusting your data to your cloud service provider. This may be more of an issue for some industries than others. You can make certain that your cloud service provider uses modern encryption tools, or encrypt it yourself before you back up to the cloud.

Whether or not cloud storage and backup will be a good solution for your business is going to depend on your specific needs. It is well worth the time to consider if lower costs and scalability, along with other advantages, might make a cloud solution work for you.

For your data backup and recovery strategy to be worthwhile, you’ll need to go beyond merely copying your data. Some of the factors you’ll need to delve into include just how well you can recover your data, the operational expenses associated with your strategy, and how well your vendor really supports virtualization.

You copied it, but can you recover it?

Data backups are meaningless if they don’t successfully facilitate data recovery. Tape backups and online backups are two major culprits when it comes to recovery failures.

Tape backups were introduced in the 1950’s and remain in use to this day, partly due to their low cost. But they often offer only an illusion of security. Studies show that anywhere between 50% to 77% per cent of users trying to restore data from tape backups have experienced failures.

Online backups can seem to be a better, more modern solution. The good news is that online backups definitely have a better recovery rate than tape backups. Unfortunately, recovering even small amounts of data from online backups can take a significant amount of time, perhaps even months.

You know what you’d like, but should you spend the money?

In a world where money is no object, businesses would probably demand data backup and recovery plans that allowed for zero data loss and zero time spent to recover data. But in the real world it’s necessary to establish reasonable objectives for acceptable data loss and for the amount of time spent on recovery.

Your Recovery Time Objective (RTO) is the amount of time required to get the crucial aspects of your business back up and running after a disaster. For example, if your RTO for a particular service is zero, that means that the service must be restored immediately. A less crucial service might have an RTO measured in hours or days, depending on how long your business can reasonably function without it. Unsurprisingly, an RTO of zero is going to cost more to support.

Your Recovery Point Objective (RPO) is the point in time to which your data is going to be restored. If your RPO for your data is zero, this means that when service resumes there must be no loss of data at all. This might be necessary for banking or similar applications. In contrast, an RPO of 24 hours or more might be acceptable for some internal reporting applications where the loss of one day of reporting is not significant enough to justify the cost of complete data recovery.

Your vendor says they support virtualization, but what do they really mean?

Webopedia provides this definition: “In computing, virtualization means to create a virtual version of a device or resource, such as a server, storage device, network, or operating system.” This means that, in theory, backing up a virtual machine should involve simply copying its files and configuration data. This copied information should then be easily available to move a virtual machine to different hardware as needed.

However, virtualization can represent a significant load for a host server and for the virtual machines running on that host. For some businesses, having virtual system that operate at a much slower pace will be acceptable. But for situations where speed is necessary, the slower pace may come as an unexpected shock.
Understanding the details of your data backup and recovery plan is crucial to making sure it meets your business needs. You will need to know exactly how recoverable your data really is, how your strategy impacts your costs, and the real facts about how well your vendor supports virtualization.

If you’re an IT person, you’ve probably experienced the daunting challenge of explaining technical matters to colleagues with non-technical backgrounds. Particularly in the case of explaining technology to executives, you need to be able present your case from a perspective that makes sense to them.

You’ll need to make sure that you and your audience have a shared understanding of basic concepts. For example, does your CFO understand that data backup must also include effective retrieval of backed up data? Do they understand the concepts of automation and retention? Are they aware of any financial penalties the company face if it fails to meet regulatory requirements?

You’ll also need to present the business need for backup and recovery in a way that makes sense to them. While you might expect a CFO to automatically understand the need to mitigate risk, this is not always the case. Their primary focus is often on reducing costs; it will be up to you to make a compelling argument that failure to mitigate the risks potentially associated with data loss is likely to be more costly in the long run.

IT managers often compare backup and recovery processes to insurance to make this point. Discussing backup and recovery as a type of insurance that offers financial risk management in case of disaster is likely to appeal to a CFO or other executive whose primary concern is budget.

In this vein, providing your CFO with actual costs for ineffective backup and recovery can help to illustrate your point. Break down, as accurately as possible, the costs associated with lost employee productivity, lost revenue, and the costs associated with recovering data. Will you need to bring in outside help to assist with recovering data from unreliable tape backups? Is it possible you’ll you need to hire computer forensics experts to recover data from hard drives that are not currently being backed up properly?

It’s also worthwhile to touch on less quantifiable losses. Will your clients lose confidence in your ability to deliver your services or products reliably? Will your company be liable for failures associated with any data loss?

You should also explain to your CFO the ways in which your proposed data backup and recovery plan will make sure your company is getting the most value for its money. Be prepared to discuss the scalability of your proposed solution to your data needs, so you can assure your CFO that your company will be able to spend only what it needs to at any given time.

Keeping operational costs down will also be appealing. For example, be prepared to describe how your solution takes less time to recover data, or requires very little human intervention to perform and monitor backups.
It’s up to you to go beyond mere technical explanations when you discuss data backup and recovery with the decision makers in your company. And you can’t assume that they have a clear grasp of the risks the company faces or the advantages of any solutions you propose. Framing your discussion from their perspective will help you to help them to make the right choices for everyone’s success.

What is Cyber Espionage? According to this comprehensive definition from Wikipedia, “cyber spying” or “cyber espionage” is:

“The act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary, or of classified nature) from individuals, competitors, rivals, groups, governments, and enemies for personal, economic, military, or political advantage using methods on the Internet, networks, or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware.”

With the likelihood of U.S. economic sanctions against China in response to repeated acts of civil cyber espionage, many U.S. companies are asking if they might also be targeted. The possibility of such attacks is definitely increasing, as cyber espionage is not strictly limited to the political sphere; financially motivated hacker groups appear to be on the rise. These groups’ efforts are focused on acquiring business secrets that can be sold to third parties, or used for insider trading. Closer to home, similar attacks from former employees or business competitors are a real concern.

What kinds of information might be targeted in a cyber attack?

Generally, the answer is anything that could give your competitors an advantage. For business owners, this could mean having your competitors gain access to information about your product features, pricing, customer or vendor contracts, M&A plans, employee information, and more. Customer contact information is also of interest to attackers, who might use it to engage in phishing attacks.

What steps can you take to protect your company?

There are several steps you can take to mitigate the risk of cyber espionage:

●    Use up-to-date malware and virus removal software. If you aren’t already doing this, now is the time to start. Your network is most likely to be infected when employees visit websites that contain viruses and other malware. While you can employ web usage controls to limit the sites your employees access and to monitor the ones they do, you can still be infected when employees use their own devices, such as laptops, flash drives, and so on. Keeping your virus removal software up-to-date can greatly decrease this problem.
●    Have a process in place for properly suspending or terminating the accounts of problem employees or employees who are no longer with your company. It’s easy to overlook the importance of promptly removing access, but the most sure way to protect against misuse of access is to remove it.
●    Enforce the use of “strong” passwords. This means both educating your employees concerning the risks of using common passwords, and requiring them to use complex, unique passwords instead.
●    If you have data on a public cloud, consider whether it is sensitive or not. If it is, it may be in your best interests to move it to a private cloud where you have more control over security.
●    Train your employees on all aspects of cyber security. We discussed the need for strong passwords above; additionally, educate your employees on other security issues. For example, offer guidelines for how to identify suspicious emails, and how to report them when received.