In the modern business environment, data loss has become a significant concern due to the legal, business and financial ramifications of lost data. GDPR law categorises lost data as a data breach and dictates strict actions and consequences/fines.
Therefore, many businesses are looking at Data Loss Prevention as an integral part of their business risk assessment. This includes plans for ensuring that preventing data loss is assessed and understood, how to protect and backup data, and often consists of backup recovery. In more severe cases that may involve Malware such as Cryptovirus, where core company data systems are unavailable, a full disaster recovery plan will need to be initiated.
This article will focus on the common causes of data loss, to provide insight and understanding to business owners and employees alike. By being more aware of the risks, companies can take the preventative measures necessary to protect their all-important data.
It is essential that businesses of all sizes truly understand the risk to their companies if the IT systems suffered any degree of data loss, and that lost data meant disruption to normal operations. Smaller businesses are typically less able to withstand the financial impact of lost data. Did you know that 43% of data breach victims are small businesses!
One of the most frequent causes of data loss is accidental overwrite or deletion by a person. There is little the computer systems can do to protect against genuine (or not!) changes of data at the time. The critical issue is how easy is it to resolve and recover the situation. Ideally, the backup strategy will be frequent enough to pick up various versions, with long retention, so lost data over time can be recovered.
Human error can also include the transmission of data to unauthorised locations by accident. While this is not a data loss in terms on its availability to the users, it is counted as a breach in terms of GDPR, due to the unauthorised ‘loss of data’ outside the company and its responsibilities to take care of its storage.
This is where technologies such as DLP (Data Loss Prevention) can be added to modern firewalls and antivirus systems. Such technology can pick up on sensitive data such as:
- Credit Cards
- Phone numbers
- NI numbers
- Bank Account details
passwords can be detected and blocked by electronic policy to ensure that any human action – malicious or otherwise – is stopped in its tracks.
Modern cyber criminals are increasingly creating bespoke virus and malware technology to encrypt and hold businesses to ransom. From the moment that the “ransomware” takes hold, data loss is immediate and can lead to total destruction if significant money is not paid (and even then, that may not ultimately resolve the situation).
A far better solution would be to ensure that there is a near-real-time backup solution which is kept electronically separate from the central systems. This ensures company data is updated continuously, and impervious to any ransomware attack.
Hard drive changes/formats
Over time, computers are upgraded, and typically, hard drives are replaced for modern Solid State Drives (SSD) and/or larger capacities. When this occurs, A proper migration of data must be completed. A fully secure destruction of the redundant hard drive should also be carried out. If it is not done correctly, data can be extracted, and potentially confidential documents could be recovered. Many companies permanently retain old hard drives for five years to ensure that data is not lost and subsequently shred the hard drive into scrap metal for environmental recycling.
Although natural disasters are rarely predictable, certain places in the world will have a higher risk associated with them to do their geography. This could refer to:
- Water damage
- Fire damage
- Physical damage from landslides/ earthquakes
Natural disasters could not only destroy equipment, but access to data could be limited or impossible, due to the files being damaged beyond use.
Planning for natural disasters is a part of the disaster recovery planning process, as this ensures that multiple real-time copies of data are kept geographically apart. This also ensures that backup systems are also not co-located with the systems they back up.
Even in areas that are unlikely to suffer a natural disaster, there is always the possibility of local issues, such as:
- Chemical spills requiring compulsory evacuation
- Mains power failure
- Terrorist threat
- Civil unrest
Such occurrences could mean that local access to data or backup systems becomes problematic.
Planning out such scenarios is core to the backup & disaster recovery plan for businesses.
Sometimes, data loss occurs because changes in software systems can contain bugs or inadvertent behaviours that are out of the control or management of the systems users.
Businesses are totally dependant on the software vendors having a testing scheme, that includes a quality check of updates and releases to ensure that data is not lost.
Lost data by vendors, mainly where that is a cloud-based technology, is much harder to recover from. This is because the management and recovery process of that data is typically outside your own business management. A simple solution to prevent such problems is ensuring that the vendor has a clear and appropriate backup and recovery plan that is both tested and robust.
As far as GDPR is concerned, any data shared externally with third-party providers are still the responsibility of the business that shared it. That business will need to ensure that there is an appropriate security technology to protect from data loss. Whether this is protection from deletion, unauthorised change, or accidental disclosure, the responsibility still lies with the business source.
There are a significant number of risks that can compromise the data of a business. The business can manage many of these risks in question, and most, if not all, can be mitigated with modern technology and systems. The budget, design and implementation of such systems will be the greatest challenge to data loss prevention. Still, by recognising these risks, a business can plan and put in place an appropriate recovery plan.
Data Loss Prevention planning can ensure that backup recovery procedures are:
With the loss of reputation and trust from customers and suppliers, businesses need to consider data loss within their overall strategy. By taking the appropriate precautions, companies can rest assured that should data loss occur, it won’t result in a potentially devastating interruption to core business operations.
For more information about data backup and recovery, and how CIS can help your business, contact us today, or head to our blog.