Violations, more often than not, are the acts of a company's own employees; Mother Nature is a very different kind of external threat.
For the rest of the October 2004 issue of CRM magazine please click here
Do you have any idea what your customer data is worth? Have you ever considered what would happen if you lost it all?
Data, according to Wayne Eckerson, director of research at The Data Warehousing Institute, is like the blood pumping through any company's body: "You've got to keep it flowing, you can't let it bleed, and you can't let it get infected." Unfortunately, he says, "companies only ever learn this the hard way."
Some companies have learned harder than others. Data specialist Acxiom, for one, suffered a significant black eye when a pair of data thefts from its servers drew the attention of federal authorities. According to court documents, hackers stole information on millions of individuals, resulting in losses of about $8.5 million.
No one soon forgets a seven-digit lesson. When the story broke, Acxiom stated that it was taking steps to reinforce security, offering a kind of road map other companies might want to follow--or insist that their vendors use.
According to Alan Canton, president of software provider Adams-Blake, the problem isn't a lack of technology. "We've got encryption up the wazoo: We've got challenge/response. We've got sniffers, and black-lists, and tracers, and whatever the tool of the day is." Today there is a need for security on multiple levels--database, network, application, and even user.
Eckerson says the first step is to understand the value of data to your company. "You have to treat it like an asset just like any other," he says. "Two percent of our assets are in cash, and 98 percent of them are in data," a bank executive once told him. "We ought to protect that as much as we protect the cash."
Violations, more often than not, are the acts of a company's own employees--or, as in Acxiom's case, a business partner. Eckerson says that as a result, "internal controls have to be just as tight as or tighter than external controls."
Mother Nature is a very different kind of external threat. The U.S. Small Business Administration predicts that every state will suffer a national disaster in the next two years, yet disaster recovery "hasn't really been a hot-button item with data warehousing people," Eckerson says.
Keith Powell, senior manager in the retail solutions unit of consultancy BearingPoint, says that securing data from theft can also provide protection for disaster recovery. "Doing a number of things on the security side also help protect you on the disaster side. In a security sense I'm going to keep all my data on a network instead of different servers, but...data that's centrally located also happens to be easier to protect. In order to be fully secure, you have to be fully redundant, [which] works out for disaster recovery, as well."
The scope of data loss can vary, and companies have to cover all bases. Scott Jarr, director of product management for online backup-and-recovery-provider LiveVault, says that 87 percent of incidents "are because of file-level human error, but processes also have to recover from system- and site-level errors."
In recovering data, Jarr says there are two considerations: recovery time objective (the time it will take to restore operations) and recovery point objective (the amount of missing data you can restore). He notes that data should be prioritized, according to its criticality to the enterprise.
Eckerson says the perspective is slowly changing. Data warehousers "are applying much more rigor [now]--especially in the maintenance of these systems." He sees a growing focus on "managing users and backing up and restoring and archiving--the way we used to do in the mainframe world."
Whatever the safeguards, the loss of data will continue to be a concern. Eckerson says he's sure we'll see another spike in data protection soon enough--"right after the next earthquake or natural disaster."
10 Steps to Secure and Protect Data
Appoint a chief security officer.
Centralize data in a single system, and ensure that backups are in place. Move your backup data to an off-site third party--at least 1,000 miles away.
Develop and regularly review a comprehensive security strategy, including analyzing your ability to recover from different levels of loss.
Improve your intrusion-detection, vulnerability-scanning, and encryption systems.
Test frequently--at least once a week, and a full disaster-recovery drill once a year. This should include double-checking data-transmission capability.
Conduct internal and external audits to enhance standard data-protection practices, as well as to communicate with clients and partners to ensure continuous improvement of data-protection strategies.
Upgrade your physical plant: video surveillance, perimeter security, code or card access to secure environments, etc.
Maintain stringent internal procedures, such as audit trails.
Conduct background checks of employees and contractors.
Turn to an expert when disaster strikes.