Your Role in Keeping Company Data Safe
Unless you are an IT professional, you’re probably unfamiliar with the detailed ins and outs of how technology systems operate. But in this technology-based modern age, it’s critical that all employees understand their role in protecting data.
Ninety-three percent of companies that lost their data for 10 days or more filed for bankruptcy within a year of the disaster (Schraeder, 2004). Armed with a little know-how, you can help your business avoid being part of that unfortunate demographic. Here’s a short list of what you need to be doing now:
Don’t assume your data is backed up.
According to a Small Business Trends report, 58% of businesses have no backup plan for data loss. What’s more, there’s often a large disconnect between what IT is doing to protect data and the perception of operation personnel.
We recently received a hard drive from an independent mortgage lender who needed help with data recovery from a key employee’s hard drive. The user had been saving critical company documents to their desktop for nearly a decade, while the company recommended using an online storage product such as Box, OneDrive or G Suite paired with a Cloud Access Security Broker (CASB) — which the IT team backed up. However, since the user did not follow the standard procedure, what could have been a couple of additional dollars a month in backup costs turned into dozens of hours of manually scraping the drive for remnants of lost documents.
It’s actually quite common to see that all data in a business is not backed up. While companies will often have policies on where to save/store data, employees rarely ensure that 100% of data gets to those target locations. Data is often instead saved all over the place: on server shares, on users’ desktops or in their downloads folders, in software (e.g. Loan Vision), in Dropbox, email mailboxes, chat programs, etc. All organizations have resource limitations with time, staff, and budgets prohibiting all data from being backed up. While IT staff will attempt to identify what needs to be backed up and protect the data how they see best, unless the data has been clearly identified and communicated to IT staff, you should always assume it’s not being backed up. Do yourself a favor and start the dialog with your IT staff today. You may be shocked by how the reality of backups differs from what you thought was happening.
All backups are not the same.
You’ve taken the first step by talking with your IT team and identifying critical data and any gaps in data being backed up. This is a great start on your journey to data resiliency. The next step in maturing your data backup strategy is to dig deeper to understand how data is backed up and how a disaster would impact you.
For example, we were contacted by a company in the financial industry whose in-house IT professional said backups were being created, but when disaster struck, needed documents were unable to be recovered. To IT’s credit, they did have working backups, but in order to save on costs, backups were only kept for a week before reusing and erasing the tape. When some of the staff had accidentally deleted files and waited three weeks before reporting it to IT, the missing files were no longer accessible.
There’s a finite amount of storage for backups and a cost associated with keeping historical backups. IT departments often make assumptions about adequate backup retention without properly communicating with the users, and users often are unaware of IT’s backup retention policies.
While talking with your IT department about backup retention, get clear on how frequently data is being backed up. If backups are taken nightly at 10:00PM and your data gets corrupted at 4:00PM, what kind of efforts would it take to re-create the day’s work? Do nightly backups make sense, or do you need hourly backups?
To be clear, having good working backups doesn’t mean you can go back to any point in time to recover data indefinitely. There is a risk/benefit trade off that should be discussed with IT and leadership. While each business will have different needs, we find the 3-2-1 strategy to be a good baseline.
3 – Keep at least three copies of your data. That includes the original copy, plus at least two backups. You never know when a backup will get corrupt. Ask your team, “Where do we keep copies of our data?”
2 – Keep the backup copies on at least two different storage types. For example, one copy can be in the cloud while the other copy is on an encrypted USB drive. Ask your team, “What types of storage do we use for backups?” The last thing you want to hear is that your backups are stored on the same hard drive as the original copy.
1 – Keep at least one copy of the data on-site and one off-site. On-site backups are quick for recovery while the off-site copy is used for disasters when the on-site systems are inaccessible. You’ll want to make sure the off-site backup is at least 200 miles away from the original source or further if a natural disaster could reasonably impact both locations at once. Ask your team, “Where are on-site and off-site backups stored?” This is especially important if you have a single office or work remotely.
Test your backups.
Once you get to a point where you’re on the same page with your IT department on identifying critical data, the frequency with which backups are taken, and how long backups are stored, you need to work with your team on testing the backups. When’s the last time your backups were tested?
According to Gartner, only 28% of disaster recovery tests were considered successful and service levels were met. A lot can go wrong and it’s important to validate backup plans. It’s better to discover gaps in your backup strategy when testing rather than through a real-world incident.
You’ll need to communicate with your IT department and leadership to determine the method and frequency of testing, but at a minimum quarterly testing is recommended.
Be involved with the testing. If your IT team does the backup and disaster recovery testing alone, they’ll recover data they think you need, which isn’t realistic. Run a table top exercise with IT giving scenarios that come from you. For example, role play:
“I got Ransomware and need everything that was in my Pictures folder.”
“I accidentally deleted everything on my desktop.”
“I spilled coffee on my laptop and it won’t turn on.”
Keep track of the following during the tests:
Start date/time of incident
End date/time data was recovered
Total time of recovery (start-to-end)
Was any data missing?
How long would it take to re-create missing data?
Was any data not backed up?
What could be improved?
What costs were involved in the downtime (idle time, reputation, etc.)?
Use the above information to improve the process. Continue to work with IT and leadership until you get the process right. If you need help with getting it right, you can bring in an experienced consultant to assist.
 Schraeder, J. (2004). Served-Based Computing – Old Concepts Meets New Technology, Retrieved on March 13, 2019 from http://188.8.131.52/7_2004_focus/f_14.shtml
 58 Percent of Small Businesses Not Prepared For Data Loss (infographic)
Shubhomita Bose – https://smallbiztrends.com/2017/04/not-prepared-for-data-loss.html
About the Author
Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more. Twitter: @TheMikeWylie.