CHICAGO — The United States has seen so many hurricanes this season that experts have run through the alphabetical naming convention and are using the Greek alphabet to identify the remaining storms. Meanwhile, wild fires continue to burn along the West Coast and beyond as climate change threatens further natural disasters in the future.
Hurricanes and fires might not be the first images that come to mind when building a cybersecurity system, but their potential to adversely affect a company’s data is very real. So said Doug Braun, director of product marketing for Infrascale, a cybersecurity firm which specializes in data recovery.
Before data can be properly secured, Braun said retailers need to thoroughly assess their existing data landscape and determine the scope of their security needs. “The first rule of data protection is to know all about the ecosystem of the data you are protecting,” said Braun. This process is more than knowing what data an organization has and its physical location. Properly assessing a data landscape also includes knowing how the data is used, with what frequency and by whom. Having this information handy will make any backup or security plan more comprehensive and effective.
Location, Location, Location
It’s important that retailers not put all of their data in one location, Braun said. “Ideally, these locations should be in two separate geographies,” he said. “For example, if your business is in an earthquake zone, consider putting your data backup outside that zone.”
With this in mind, Braun said, it’s important to remember that a company’s data exists both inside and outside of its walls. Especially today with many office employees working from home due to COVID-19, retailers should be aware of the physical location of their data and should put safeguards in place to protect it. “Appropriately identifying data location will enable you to understand how best to institute the appropriate protections—such as encryption, multifactor authentication, and endpoint detection and response—to safeguard it,” said Braun.
The cloud is another potentially effective place to store data, said Braun. “You can rely entirely on the cloud for disaster recovery, or you can keep your spin-up capabilities local and the backup only in the cloud,” he said. To be clear, anything uploaded to the cloud exists on a physical server somewhere. Retailers should ask their data storage provider where those servers are located if they plan on keeping important data on the cloud.
Beyond natural disasters, even the safest data centers can be compromised due to a careless or untrained staff. Braun pointed to a 2020 Verizon data breach investigation report that says that 34% of data breaches involve internal actors such as employees.
“Educating your end users how to identify, avoid and report data threats is the most important opportunity an organization has to protect its data,” said Braun. Specifically, employees should know what malware, ransomware and phishing threats look like. They should know who to report to when they find these digital intrusions and they should be aware of any data backup or recovery plans the company has in place.
The truth is cybersecurity threats are tragically common. An Infrascale survey from April reports that ransomware attacks have hit 46% of small and medium businesses, and that 73% of the businesses that were targeted by ransomware paid the ransom to regain access to their data.
“Effective cyberattacks can cause small and medium-size businesses to go out of business,” said Braun. “Beyond the financial implications, there is the threat of data loss, or theft, as the case may be. Any size business without its critical data can’t function properly. That’s where data backup and disaster recovery protection come into play.”
In addition to slowing down operational efficiency, losing data to natural disasters, bad actors or mistakes can be incredibly costly. Research from IBM and the Ponemon Institute’s The Cost of Insider Threats Global Report 2020 found that companies with fewer than 500 employees spend an average of just under $8 million per incident.
To avoid such costs, Braun encouraged retailers to develop a playbook of processes invoking backup and disaster recovery services. He said retailers should establish their recovery point objective (RPO) and acceptable recovery time objective (RTO) when considering strategies to restore lost data.
RPO is the maximum period of time allowed in which data might be lost and unrecoverable—think time between backups. RTO is the maximum period of time allowed in a disaster recovery plan between when critical network functions cease and when they are restored.
Finally, Braun suggested retailers put their data defense and recovery plans to the test to ensure they properly safeguard their digital assets. “This approach will help you iron out any wrinkles related to data disaster recovery,” said Braun. Retailers can simulate natural disasters or data breaches internally to see how quickly and effectively their systems and employees respond.
Retailers may not be able to control the weather around them or the actions of bad online actors, but they can control how their systems and staff respond to an emergency when it matters most.