Data protection - Protect and Survive.

The debate over data security has moved on over the past few years.

Not long ago, for example, intrusions from hackers were seen as the greatest threat to business data security. But while hackers undoubtedly pose a threat, unless your data comprises information that has a monetary value, such as credit card details, there’s little point stealing it – which isn’t to say that ‘information leakage’ doesn’t occur. It does, but the culprits are more often than not employees past and present.

Not only do employees have better access to their employer’s data, they also have a greater understanding of its value, says Andy Clark, director of Inforenz, a Horley-based information forensics consultancy. Sometimes, he says, the clues when data has been stolen are fairly obvious; for example, when an employee starts living a lifestyle more lavish than their salary can accommodate.

Employees departing to another organisation, too, are sometimes tempted to take along details of, for example, customers, contracts and prices.

Digital fingerprints left on employee desktops leave traces of the crime, he says, but a better tactic is to ‘salt’ data with dummy records so that leakage is obvious. “Salting is simple and effective, but not enough companies are doing it,” says Clark.

Simon Perry, vice president of security strategy at Datchet-based software conglomerate Computer Associates, agrees. “Malicious threats from outside may be the most (highlighted) threat in the media, but they aren’t the threats that incur the greatest financial loss,” he says. “Hackers aren’t as big a problem as inappropriately-curious employees. IT employees are particularly at risk because of the greater access rights they have.”

And many organisations continue to grant access rights to former employees.

A survey jointly published in March 2003 by Novell Worldwide Services, Stanford University and Hong Kong University of Science and Technology found that 43% of companies took more than two days to revoke the access rights of departed employees and that 15% took more than two weeks. Incredibly, some businesses never revoked access rights at all.

But not British Telecom, explains Andy Hodgson, vice president of security at BT’s global services division, where the manager of every departing employee must complete a detailed termination checklist. “It makes sure the employee hands in items such as their identity card and building pass, and that their system access rights are rescinded,” he says.

But what if the threat comes from staff who still work for the company?

Hamish Macarthur, chief executive and founder of data storage analysts Macarthur Stroud International, says an increasing number of businesses perform background checks on IT administrators and other employees who guard critical data. But even better, he says, is a policy of consolidation – not having data scattered higgledy-piggledy on a whole range of servers, but pooled together onto as few servers as possible. “Consolidating the data not only means you can manage it better and more cost-effectively in terms of making it available to users, but you can also protect it more effectively,” he says. “In addition, having it centralised means it’s easier to back up during the day rather than relying on backups after the close of the business day.” Live data may be corrupted by a disgruntled employee, but backed up data can’t.

Increasingly, there’s a sense that traditional tape-driven backup isn’t enough. The problem is that, despite advances in tape data-writing speeds, large organisations often find that backing up data stretches well into the night: backups of 12-to-18 hours are not uncommon for some companies, says Macarthur. And backing up on to tape is not as secure as many believe.

For example, a backup tape held in an adjacent building might not survive a terrorist attack. In addition, tapes are slow to restore: a tape backup that takes, say, 12 hours to write is going to take 12 hours to read.

Even so, tape backup is cheap and reliable, especially if managed intelligently.

Jason Stothard, head of IT at Leeds and London-based healthcare professional indemnity insurer Medical Protection Society, has a policy of avoiding ‘incremental’ backups, backing only the data that has changed. “We do a full backup every night so we don’t have to apply a sequence of tapes in the correct order in the event of restoration. It’s just one backup at a point in time.”

During the day, server-to-server backups protect against server failure. Even so, says Stothard, his organisation is contemplating an alternative, such as using third-party backup specialists, which have seen the present levels of security threats and tougher regulatory requirements deliver something of a boom.

Barry Chernoff, a senior partner at Ilford law firm Davis Grant, for example, makes use of a backup service from Reading-based Attix5. With one office, three servers and 30 workstations, the requirement was for something effective and reliable – not something that would replace the firm’s tape backups, but augment them. “It’s Sod’s Law. You try to restore from a tape and there’s a problem. The tape has become damaged, the backup didn’t work, or you can’t find the tape,” he says. What’s more, apart from the cost of storage at Attix5, there’s no transmission charge. The data is backed up over ADSL overnight.

Nor is third-party backup storage particularly expensive, even for larger businesses. Gavin Smith, chief executive of Guildford-based DataFort, reckons it would cost a company with between 50 and 100 workstations a total of £200 per month to back up their data on to DataFort’s twin data centres in Canary Wharf and Woking. “£2,400 a year isn’t a lot to pay for peace of mind,” he says. Even for a company with a thousand workstations, the annual cost is just £7,200.

Certainly, the cost seems reasonable to Luca Celati, director of London-based Abraxis Capital Management, an FSA-regulated hedge fund, which backs up its data every night to DataFort over the internet. About four gigabytes is archived every night, he says, which is encrypted first, compressing down to about 25% of the original size.

It’s even possible to insure against data loss. Harry Croydon, chief executive of London-based Safeonline, a Lloyd’s insurance broker, explains that in the event of an incident, Safeonline sends along a data recovery team to see if the data can be recovered. If not, the company pays for the cost of recreating it from hard copies or original documents.

“Security is all about managing risk and paying for enough security provision to manage the risk at an acceptable level,” says Bill Pepper, head of security risk management at computer services giant CSC. “But it’s a business assessment,” he warns, “not an IT assessment. The risk is to the business.”