The value of a business is in its data. Avoid unforeseen pit falls.
Data security is often times overlooked “until suddenly” the inevitable event of a breach or failure occurs. Without a Technical Manager on staff your risk of breach or failure is much higher. A Technical Manager is a person with excellent technical skills, one that can understand the systems, their moving parts, processes and intricacies so well that he or she can actually fix many of the problems as they occur. In fact, some Technical Managers have such strong skills that they can see the signs before the trouble arises and can step in with immediate, effective and timely preventive measures. They are the ones that keep an ear on the track and are the first to know when a train is coming.
Bryan Franz, Special Agent, FBI Cyber Squad once said; “Small or growing companies are the most vulnerable to data breaches”. We have firewalls put in by local vendors. Software, servers and networks installed and configured by others. This is a fantastic quick start however, the minimal IT staff we have oftentimes become operators and not integrators or maintainers. In the event we haven’t been able to hire an IT person our staff ends up not doing what they were hired for resulting in projects dragging on for sometimes years. Then we are forced to react rather than respond decisively when IT problems arise.
I have been on the ground floor “the go to technical person” who built the foundational computing infrastructure for several large business. In each case I was able to see it mature into a secure managed physical network of distributed data storage with industry standard policies, processes and practices that are still in operation today. These best practice processes and policies are being reviewed and modified regularly by the current data managers adapting to every day changes. This is the way a healthy managed IT department should be. We do not govern by policy but operate as if these processes were part of our DNA. This is the only way to keep ahead of today’s exponentially expanding technology threats and avoid unforeseen pit falls.
Your key asset is a Technical Manager whose mission is to protect your data. The value of a business is in its data. You already know this if your data management is dictated by governmental and or other external regulations. IT best practices always meet or exceeds that of most governing authorities.
If your data management practices have not been defined and periodically refined my initial risk assessment of these three key areas of concern is HIGH RISK.
- Product information, including designs, plans, patent applications, source code, and drawings.
- Financial information, including market assessments and your company’s own financial records.
- Customer information, including confidential information you hold on behalf of customers or clients.
An in depth risk assessment identifies and assesses the risk your IT staff intends to manage. This is very important in that it helps us see the unique risks your unique organization faces. It helps with decisions on appropriate cost effective ways to manage technology by prioritizing and choosing cost effective countermeasures.
Remember we can only minimize, not eliminate risk. However, identifying these areas enable us to respond to threats in an organized decisive manner. Here is a short list of threats you may be able to identify with.
- Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to loss of electric power. Subtle reasons like disk or electronic component failure may also occur. Some have dropped their usb drive at the airport. Last month at a small business an adjacent toilet water feed broke and water came under the wall into the closet where the server and electronics sat on the floor.
- Unauthorized access to your data. If you have confidential information from clients or customers, you’re often contractually obliged to protect that data as if it were your own. Have you ever gone back to the store after hours because you were not sure the front door was locked or who set the alarm?
- Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, vendors, and contractors at home or other locations. Ever forget your note book at the restaurant? Does your email need to be encrypted?
- Is your data beyond your control. Do you share your data with others, in clouds or through email? Did you know one of Edward Snowden’s primary privacy tips is to “Get rid of DropBox”.
- What protects your data when it is outside your building? Is someone externally managing your web sites? Do you have a remote office? Are they secure?
- Data corruption comes in two forms. Intentional corruption which modifies data, devices, or a physical door or lock so it is accessible to hackers. Unintentional corruption may be due to a software or human error that overwrites valid data or leaves it exposed. Viruses and Employees, both current and former, are the number one sources for information leakage.
Policies and procedures help us decide what we do about these risks. This is an attempt to satisfy Compliance. These are good to have but we typically put the cart before the horse in that we establish policies without first identifying the risks. We fail when IT policy is looked to as a band aid for the lack of preparedness and we put policy before practice.
In aviation pilots are trained to “know their plane”. There are pre-flight checks and periodic training available to learn what opportunities one has to survive an event such as weather, an uncontrolled spin or component failure. This training and procedures are mandatory, with your safety and wellbeing in mind. Also refresher courses or actual hours in the seat are needed to keep your pilot license current. As a flight instructor does simulated engine failures in all phases of flight so should a Technical Manager know and test his or her Information Technology systems and processes on a regular bases.
Typically the last thing companies do is give importance to an Information Technology disaster recovery plan or as some call it a Business Continuity Plan. When asked the answer often times is; “Yes we have one here somewhere” or if reviewed are not complete, current or up to date. What just happened to your data security? This plan, along with regular audits revisions and testing, allows us as an organization to respond rather than react to risks.
Information Technology is the flight instructor, the individual Department’s Directors are the Pilots. Our job is to help them organize a complete flight plan and be prepared before an event occurs.
“It is always good to have a plan. Don’t be forced to react rather respond decisively when problems arise and avoid the pit falls”