Storage Networking Times

Issue 7, January 2008

Analyst Briefing: Counting the Cost of Losing Data
Hamish Macarthur, CEO and Co-founder, Macarthur Stroud International, hamish.macarthur@macarthurstroud.com

The Value of Information

The value of information is being realised and affecting everyone across the world. The impact of the sub-prime market shows that financial deals are done where buyers are not fully aware or informed of their liabilities. The packaging of debt through different financial vehicles has resulted in the global financial markets having to re-evaluate their risks and liabilities, after the event.

Similarly in the UK, the government has been plagued with incident after incident of lost data; the loss of 25 million personal records relating to child benefit, the loss of a disk drive containing 3 million new drivers’ records and the loss of 6,500 pension records from a pension company to the tax authorities. The care and attention with which personal and corporate data is maintained is under public, corporate and legal scrutiny.

Understandably, organisations do not wish to admit to any weaknesses in their systems and processes. But unless companies take a closer look at their systems and processes, the risks that are being run can be significant, with more examples of lost data coming to public attention.

From research carried out by Macarthur Stroud International, we know that CIOs and system administrators recognise that public awareness of data loss can affect their business. The evolving regulations mean that persons can now be prosecuted for poor information governance. After all, it is a reflection of the accepted standards of corporate governance. In addition, individuals are recognising that if they are seen to be responsible for such occurrences of data loss, they will lose the respect of their peers, they will have difficulty in progressing their careers and they will experience difficulties in finding a suitable role in a new company.

Risks from Within

The greatest risk of fraud has always been from within an organisation, yet the focus of attention is consistently at keeping wrong-doers out. Having lost data on a disk or tape and announcing that there is no likelihood of the data falling into the wrong hands because it must be somewhere in the organisation, does not instil any confidence that there is no risk. With ever increasing volumes of digital data being stored on systems across the world, in different jurisdictions, the onus on businesses and the Chief Information Officer is ever increasing to ensure that the information assets of an organisation and the associated personal data are absolutely secure and safe. This relates to both current application data and archive data.

The cost of implementing new procedures is invariably given as one reason for not reviewing the risks. “Are the risks real” and “it will not happen to me” are other such thoughts. But it is the law of the unexpected that will always catch each and every one of us out. Therefore, the issue is, what is the cost taking no action?

The challenges are increasing. With the growth of mobile computing and the reach of customers into online systems, the firewall boundary is becoming blurred. Virtualisation will deliver ever increasing benefits, but the way information is being processed and managed must be clearly understood.

Need to Develop Information Security Policies and Practices

Users need to recognise that they must develop a total set of Information Security Policies and Practices. This must take into account firewalls, antivirus, identity management, data protection and system management. Following ITIL, COBIT or ISO 17799 guidelines can assist in the steps to be taken. But these have to be actioned and implemented.

The identity management, antivirus and firewall considerations must come further into the network, not just left on the periphery. Applications accessing data resources need to follow accepted routes. If the requests are coming from unknown routes within the firewall, does this mean that the requesting applications are all approved?

Logging activities and requests to produce a comprehensive audit trail becomes more important for all activities across the network. This relates to system changes, software updates and data movement as well as to application processes.

Data protection practices are designed to keep systems operational. The trend to using disk-based backups means that there are many images of data on disk drives as well as on tapes. Encrypting all these data images needs to be carefully considered. This spans the ever increasing volumes of archive data which must be maintained for legal, regulatory, contractual or corporate governance reasons.

Understanding how the system resources are being used, where the information is resident and what elements of the system are redundant are important steps in the process. This contributes to better information management as well as contributing to better utilisation of power, cooling, office space and cost containment.

And when it comes to archived information, can it clearly be proven that it has not changed or been tampered with since it was created. Such forensic considerations become important if put to the test by courts of law or regulators some time in the future.

Loss of Information Could Cost You Dearly

Embarking on this journey to secure the system operations and information assets will mitigate risks for each and every organisation. Recognising that there are risks is the first step, followed by identifying possible weaknesses, completing an appropriate risk assessment and identifying the necessary actions. Implementing appropriate solutions will help organisations to minimise embarrassing information management practices being exposed to the gaze of television and the press.

Information has a value. Respect this and protect the data. Otherwise, loss of information could cost you dearly.

Back to front page..