Check out our Data Protectionsection for more information or to find companies that provide these services.

Increasingly sophisticated technology is making it harder to protect data, and the costs of data loss/theft keep going up. Businesses have to use many kinds of technology to create a layered security model to protect data; but effective security is more than firewalls and virus detection, and it has to support the corporate vision.

Here's an example: I worked with a healthcare provider that relies on visiting clinicians. Management and staff agree patient care is the primary goal, but IT was so concerned about security breaches that people couldn't do their jobs. Access to even basic technology like e-mail was heavily restricted.

Restrictive technology and processes actually made the healthcare provider more vulnerable. It forced employees to keep logs and paper copies of patient information, opening the door for HIPAA violations. Failing to thoroughly research and address potential threats individually not only endangered patient privacy, it endangered the entire business.

Internal Threats

The healthcare provider was right on one point: internal employees pose the greatest danger to data through willful misconduct, incompetence, or human error. Potentially devastating HIPAA violations like unauthorized viewing of celebrity medical records, for instance, are generally by employees who, in other circumstances, may have needed fast access to that record to provide care.

How do you protect yourself against your employees without completely shutting them out? Part of the answer is policy and education, but you can also take advantage of technology. If you're not using document and information management software to store data that exists outside of your core business application, you're increasing your risk. Some documents do need to be physically stored onsite or offsite; document management systems can protect scanned images of documents for day-to-day reference. Natural disasters, the inability to know who looked at a file, and the possibility that a file can be lost/compromised when it leaves the filing room are real dangers of paper-based document management.

Here are some ways to protect electronic data:

• Implement role-based access so employees only see what they need to do their jobs. Then be ready to test and amend it.
• Select products with granular security capabilities. Users who can access a document don't necessarily need to print, e-mail, or change it.
• Maintain audit trails of electronic files. You'll know who opened it and what they did, which may allow you to identify threats (or at least the culprit) sooner.
• Adopt a password policy that requires longer, more complex passwords and requires users to change them regularly. This prevents a co-worker from guessing that a password is "password" or "12345" (two of the most common passwords) and increases the challenge for external hackers.
• Redact/encrypt sensitive data. Document management software can "black out" sensitive information (e.g., Social Security Number) when it is not relevant to a task and/or make sure it isn't visible to users who look at the keyword metadata.

Data loss/compromise can result from human error and bad luck, like the stories on the news about lost/stolen laptops or backup tapes. Employees can forget to switch backup tapes, or make a network change that affects the backup integrity.

Since it's unrealistic to ban laptops, make them useless to a would-be data thief. Passwords and hard drive encryption are a good start, but you can also make sure there's little or no data on it in the first place. Software-as-a-service (SaaS) gives users Web-based access to an application and data that reside in an outsourced/hosted data center. Another solution is virtualization, which allows users to log into an application located in your data center via a secure Internet connection.

If you outsource to a SaaS provider, they should be responsible for data backup and recovery. If you use an onsite data center, consider a data backup service. You can choose between companies that store physical backup media or use an online service that replicates your data in their data center. Just don't wait for an emergency to test your backup. Either restore it yourself in a test environment or work with a service provider.

External Threats

Education is also needed to fight external threats because businesses simply can't be competitive if they don't let employees use technology. Workers have to know the warning signs of phishing scams and bogus websites because e-mail and internet security software alone is not enough. Protect data moving through your network with secure protocols, virtual private networks (VPNs), dedicated ports, and firewalls.

To protect stored data, some companies hide the network path to the file storage, so no one can browse out to it. If the data is really sensitive or regulated by standards such as PCI DSS, a payment card industry standard for security, the entire document repository can be encrypted.

If you're concerned about physical threats, outsourced data centers typically offer a higher level of security than most organizations can maintain on their own. Many look like a scene from Mission Impossible, with razor fences, motion detection, armed guards, and man-traps.

Business Continuity

Everything from natural disasters to simple server failure or a power outage can make data unavailable or result in data loss. Every company needs a business continuity strategy that prioritizes availability of mission-critical data in the event of an emergency.

To protect against hardware failures, many IT departments are weighing high availability options, ranging from mirroring the primary server to complex (and expensive) continuous data protection. What you need to spend depends on the amount of data you have, network resources, the urgency of maintaining real-time access, and your budget. Meanwhile, don't overlook simple things like good backup software, uninterruptible power supplies (UPSs), and data center cooling.

Outsourced services are a cost-effective way to maintain business continuity. A SaaS solution, for example, is available wherever users have Internet access. Generally, they have higher uptime and more geographically dispersed backup sites than individual businesses can afford.

An alternative to a fully outsourced data center is an outsourced hot site/warm site where data is replicated in an outsourced/hosted data center. In the event of a disaster, the replicated system is accessible on short notice. The difference between a hot site and a warm site is how often they replicate, and, of course, price.
When most people are asked how much of their data is mission-critical, they often say all of it—until they see the price tag. Take a close look at what you need to protect and why you need to protect it and prioritize your budget accordingly. Just don't forget why your organization exists in the first place.

Check out our Data Protection section for more information or to find companies that provide these services.