Risk Part: Deuce!

Risk Part: Deuce!

It’s All About the Data!

Let’s talk about data. It’s okay, I think we know each other well enough. No need to be shy. First, everybody’s got data. And second, a lot of us are throwing data every where and to everybody! Sometimes you have to tell people to keep their data to themselves. This is not some sort of free for all!

But in all seriousness, the data is important. It’s the reason we even have networks and systems: To move data from one source to another, quickly, efficiently and securely.

Um, What’s Data?

So, what constitutes data? Well, it’s all data really. From emails to word documents to client or customer information. Some more sensitive than other types of data, but potentially all important to the organization. There are usually a few different types of data. I’ll break down the most common here:

  • Communication – Organizations have multiple ways to communicate, whether it be in person, by email, Instant message, virtual meetings, whatever.

  • Process or Procedural – This is the data used to get any given job done. This usually includes; templates, scripts, forms, etc. Whatever you use on a regular basis to get your job done, but doesn’t necessary contain sensitive material.

  • System – All of the systems that we use, create their own data. This data can sometimes be stored within the system, or sometimes there’s a separate database or storage area the system can access. These can be CRM systems, phone systems, infrastructure systems, etc. This list can go on and on.

  • Company specific information – This will include data about what the business is, how it operates, human resource information, legal info, patents, etc. Now we’re getting into the meat of things!

That is not an exhaustive list, but you get the idea, businesses create A LOT of data. And this data, is moving all over the place. It’s over phone lines, it’s stored on servers, it’s on individual workstations, it’s in the cloud, and you still can’t remember where you put that USB drive with all that client information on it….

Where’s the Risk?

Now with all this data moving all over the place, do you ever consider, what of that data is important? What of that data would truly be considered IP or Intellectual Property? What of that data would be a real problem if seen by the wrong eyes? What of that data would cause the company to close if lost and unrecoverable? What, of that data is currently protected? And if it is protected, who can confirm that? Now that last question, many may see that as an easy one; “My IT person backs it up!” And that may be, but are you sure? How would you know if they couldn’t?

The problem that we run into as IT professionals is that most businesses have not really identified their data, and assessed who needs access to that data, or created any policies around the handling of that data. In fact, many companies don’t even know where all their company data is! You may have a manager who holds a very important role in your company and all the data they access is on their laptop. What if this data is not backed up, and the laptop gets stolen?

Figure Out Your RTO and RPO

The above scenario is not at all farfetched. In fact, your business may only be a few minutes or hours away from this exact thing happening. It may not be, but unless you know, you don’t know. So, guess what? If any of this concerns you, you’ve got homework. Figure out your Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

  • RTO refers to how much time an application can be down without causing significant damage to the business. Some applications can be down for days without significant consequences. Some high priority applications can only be down for a few seconds without incurring employee irritation, customer anger and lost business.
  • RPO refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs. The objective is expressed as a time measurement from the loss event to the most recent preceding backup.

This is terminology your IT person should be familiar with. Work with them to figure out where your data is, what’s the most important, what’s the threshold of your business, and then figure out a system to protect it based on those thresholds. This has been a public service announcement. Aloha!

%d bloggers like this: