In the modern business environment, data loss has become a significant concern due to the legal, business and financial ramifications of lost data. GDPR law categorises lost data as a data breach and dictates strict actions and consequences/fines. This article will focus on the common causes of data loss and will work to give business owners and employees insight into how these can be avoided. By being more aware of the risks, companies can take the preventative measures necessary to protect their all-important data.
It is essential that businesses of all sizes truly understand the risk to their companies if their IT systems suffer any degree of data loss.
43% of data breach victims are small businesses
Lost data results in disruption to normal operations, with some smaller businesses sometimes unable manage the financial impact.
What is data loss?
At some point in their working lives, the majority of organisations have suffered from some form of data loss either through user error, cybercrime or hardware malfunction. This could extend from the loss of one deleted file to the corruption of an entire network. Essentially data loss is when data is irretrievably lost from the IT infrastructure. Data loss causes a lot of upheaval in the workplace in the form of lost time trying to retrieve the data as well as a potential financial loss and reputational loss should the data be personal client details.
What causes data loss?
Data loss causes can include:
- Ransomware – where software installed on your system can encrypt your data until a ransom is paid.
- Viruses – malicious software that can corrupt your data files.
- Data corruption due to malfunction.
- Deleted by a user either accidentally or intentionally.
Backup and disaster recovery
In order to prevent such data loss from happening and months and months of work being irretrievably lost, regular data back-up is key. Backing up your data, preferably on an external server can help with:
- Continued business –should you be the victim of data loss, a cyberattack or a natural disaster your back up enables you to still continue trading.
- Ransomware attacks – cybercriminals infect your network with ransomware which can encrypt your data and they then demand money in order to retrieve it. With a backup, it is possible to retrieve your data safely with no financial loss effectively cutting out the criminal.
Regular back up of data should be part of a wider disaster recovery plan. However, according to Dynamic Technologies’ research, more than 75% of small businesses don’t have one. This means that if they are the target of ransomware or suffer the loss of data they may have to start again from scratch – essentially threatening the liability of the business.
A disaster recovery plan should include:
- A disaster risk assessment on what is likely to go wrong and have a plan to manage it.
- A data backup which is checked regularly.
- Identifying hardware, software and resources critical to the running of the business.
- Data continuity checks meaning being aware of everything your organisation needs in order to run smoothly.
- A communication plan so everyone is aware of the role they should be playing, who needs to be contacted and what needs to be done to speed up recovery.
- Regular testing of the plan to ensure functionality.
Essentially, a disaster recovery team should be in place to ensure that should a problem occur everyone knows what they should be doing in order to speed up the recovery of data and limit the amount of downtime.
You can discover more about our disaster recovery solutions here
How to prevent data loss
Although the reasons for data loss cover crime, malfunction, and user error there are still some easy things you can implement to prevent business data loss through improving the cybersecurity processes you have in place. These can include:
- Installing a firewall.
- Installing up to date anti-virus, anti-malware, anti-ransomware, anti-spyware, and anti-hacking software.
- Keeping all software and operating systems up to date.
- Ensuring all staff use complex passwords.
- Ensuring multi-factor authentication is in place.
- Ensuring vital data can’t be deleted by unauthorised staff.
- Training staff on security measures.
- Ensuring all data is backed up regularly.
- Preparing a rigorous disaster recovery plan.
Of course, it is not possible to totally illuminate the risk of data loss, but by ensuring systems are robust and maintained such a risk can be severely reduced.
One of the most frequent causes of data loss is accidental overwrite or deletion by a person. Ideally, the backup strategy will be frequent enough to manage such changes in data, picking up any changes so that lost data over time can be recovered. Human error can also refer to the transmission of data to unauthorised locations by accident. While this is not a ‘data loss’ in terms of its availability to the users, it is counted as a breach in terms of GDPR, due to the unauthorised ‘loss of data’ outside the company and its responsibilities to take care of its storage.
This is where technologies such as DLP (Data Loss Prevention) can be added to modern firewalls and antivirus systems. Such technology can pick up on sensitive data such as:
- Credit Cards
- Phone numbers
- NI numbers
- Bank Account details
Passwords can be detected and blocked by electronic policy to ensure that any human action – malicious or otherwise – is stopped in its tracks.
Modern cyber criminals are increasingly creating bespoke virus and malware technology to encrypt and hold businesses to ransom. From the moment that the “ransomware” takes hold, data loss is immediate and can lead to total destruction if significant money is not paid (and even then, that may not ultimately resolve the situation).
A far better solution would be to ensure that there is a near-real-time backup solution which is kept electronically separate from the central systems. This ensures company data is updated continuously, and impervious to any ransomware attack.
Hard drive changes/formats
Over time, computers are upgraded, and typically, hard drives are replaced for modern Solid State Drives (SSD) and/or larger capacities. When this occurs, A proper migration of data must be completed. A fully secure destruction of the redundant hard drive should also be carried out. If it is not done correctly, data can be extracted, and potentially confidential documents could be recovered. Many companies permanently retain old hard drives for five years to ensure that data is not lost and subsequently shred the hard drive into scrap metal for environmental recycling.
Although natural disasters are rarely predictable, certain places in the world will have a higher risk associated with them to do their geography. This could refer to:
- Water damage
- Fire damage
- Physical damage from landslides/ earthquakes
Natural disasters could not only destroy equipment, but access to data could be limited or impossible, due to the files being damaged beyond use.
Planning for natural disasters is a part of the disaster recovery planning process, as this ensures that multiple real-time copies of data are kept geographically apart. This also ensures that backup systems are also not co-located with the systems they back up.
Even in areas that are unlikely to suffer a natural disaster, there is always the possibility of local issues, such as:
- Chemical spills requiring compulsory evacuation
- Mains power failure
- Terrorist threat
- Civil unrest
Such occurrences could mean that local access to data or backup systems becomes problematic.
Planning out such scenarios is core to the backup & disaster recovery plan for businesses.
Sometimes, data loss occurs because changes in software systems can contain bugs or inadvertent behaviours that are out of the control or management of the systems users. Businesses are totally dependent on the software vendors having a testing scheme, that includes a quality check of updates and releases to ensure that data is not lost. Lost data by vendors, mainly where that is a cloud-based technology, is much harder to recover from. This is because the management and recovery process of that data is typically outside your own business management. A simple solution to prevent such problems is ensuring that the vendor has a clear and appropriate backup and recovery plan that is both tested and robust.
As far as GDPR is concerned, any data shared externally with third-party providers are still the responsibility of the business that shared it. That business will need to ensure that there is an appropriate security technology to protect from data loss. Whether this is protection from deletion, unauthorised change, or accidental disclosure, the responsibility still lies with the business source.
There are a significant number of risks that can compromise the data of a business. The business can manage many of these risks in question, and most, if not all, can be mitigated with modern technology and systems. The budget, design and implementation of such systems will be the greatest challenge to data loss prevention. Still, by recognising these risks, a business can plan and put in place an appropriate recovery plan.
Data Loss Prevention planning can ensure that backup recovery procedures are:
With the loss of reputation and trust from customers and suppliers, businesses need to consider data loss within their overall strategy. By taking the appropriate precautions, companies can rest assured that should data loss occur, it won’t result in a potentially devastating interruption to core business operations.
For more information about our data backup and recovery services, and how CIS can help your business, contact us today, or head to our blog.