Confidentiality of data – where you ensure that critical data is only accessed by people with proper approval and on a need to know basis.
Confidentiality is related to the broader concept of data privacy – the act of limiting access to Personally Identifiable Information (PII). In the US, a range of state and federal laws, with abbreviations like FERPA, FSMA, and HIPAA, set the legal terms of privacy.

Integrity of data – where you do everything possible to protect business and client information from unauthorized alteration. Integrity is all about the trustworthiness of information and the assurance that data have not been changed inappropriately, whether by accident or deliberately.  It also includes making sure that the data actually came from the person or entity you think it did, rather than an impostor. In many cases, it might actually come down to making sure that the information recorded reflects actual, reliable and correct record or circumstance. At the end of the day, it is the business owners job to make sure that  business’s information system includes mechanism to preserve without corruption, whatever was transmitted or entered into the system, right or wrong.

Availability – where you ensure that critical business information is readily available to authorized users and applications as needed. Businesses today are highly dependent on functioning information systems.  Many could not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link.  (That’s why each user’s ability and willingness to use a data system securely are critical.)

The provision of Confidentiality, Integrity and Availability is something most businesses take for granted, especially those that provide services dealing with sensitive data like finance, health and legal matters. Consider the following scenarios:

• janitors working at night freely browsing customer information that was left open on a computer without a screen-saver password.
• partially printed result of a retina scan that was thrown into a trashcan
• sensitive email that was sent without encryption
• a USB drive full of financial reports that has no password protection or encryption is carelessly left at the front desk?
• an employee loudly discussing sensitive business details on the phone at an airport

The biggest area where most small businesses fail is in the area of availability – making sure that resources are available to users and clients when needed. This is because over seventy percent of small businesses do not make any effort to back up their critical data. I have dealt with enough to know that it is only when a hard drive fails, or a memory module goes bad (the famous server crash) that they scramble around begging any computer support provider they can find to “do whatever it takes to get our stuff back”. Sadly, in most cases it is either too late or is going to cost an outrageous amount to recover the data through high-end data recovery software or service.

What can you do? We’ll talk about this in the next installment.

Business owners have a false sense of security when it comes to the issue of Business Continuity which is often thought of as just an IT (Information Technology) problem. “We have a good backup system so we are fine”. There is often the tendency to overlook flaws on business processes, application development, and logistics.

According to the Gartner Group, over fifty-percent of all businesses fail after experiencing a major disruption. In addition, lack of planning for these disruptions can cause a business to lose a majority of its customers and integrity.

Research has also shown that a business is more likely to recover if it has a plan and has taken into account all of the areas on which it depends to function normally especially since it is difficult to predict such failures.

As is well known, most computer hardware, if used consistently over a period of three to five years, stand a forty to sixty percent chance of having a catastrophic failure.  It is also a fact that most small businesses purchase non-brand computers, disregard repair policies (depending on the toss-and-replace mentality instead), and depend on these non-brand computers heavily. Most use inexpensive file servers (actually desktop computers converted to “servers”), or a cheap tape drive for backup. Backups are rarely tested to determine if a failed system can be rebuilt from scratch, and in many cases, the backups fail to restore critical data.

The question, “What if you had to leave your office within 30 seconds and could not come back for a month, if ever?” has been asked again and again.  The sad situation is that even with all the evidence supporting the urgency around this question, it remains answered with only a shrug. Business owners, who normally would not think twice about purchasing liability or health insurance, reply with a fatalistic, “I will deal with that if it happens.”

Business owners need to identify the risks that their businesses face, and make proactive plan to follow should the unexpected computer shutdown occur. By making computer problems “expected” and “planned for,” businesses will reduce the cost of data loss and recovery efforts.  The events of September 11th 2001, the ensuing Anthrax bio-terrorism scare, hurricanes Katrina and Rita, the incident with a small plane crashing into the IRS building in Austin, TX etc. gave “Business Continuity” new meaning. Although the probability of these events occurring again may be considered quite low, business owners should recognize the need for Business Continuity planning.

We understand that the typical small business has no IT department and in many cases may only have one person, or a contract with a service, that truly understands IT. For the most part, however, computers are treated like appliances in the sense that when something breaks, it is repaired or replaced.

Our goal as IT service providers should be to assist the small business owner in saving money and preserving wealth. We could do this by advising business owners on:

• Discovering what risks need to be avoided immediately.
• Closely examining processes, policies, and procedures to ensure requirements are met.
• Developing an awareness of what processes actually impact the business.
• Developing an appreciation of the business continuation plan as an integral part of the business plan.
• Helping you with a remote backup solution that backs up your critical data in real time, as it changes, to reduce the amount of time it takes to complete a data backup for as little as $20 a month.
• Simple operating system imaging techniques that reduces the time it takes to bring a system back online and operations following a system failure
• Working with vendors with whom you can pre-arrange replacement hardware should your fail.
• Simple techniques to follow to make sure you have continuous access to your data even when your computers are not available.

But for getting started, you really do not need anything expensive. I recently came across a device called NetDisk from Iocell that uses a technology called NDAS (Network Direct Attached Storage). It is an enclosure that houses a SATA drive or two, and plugs into your network. But the interesting thing is that the device does not use an IP address. It works through the installation of three drivers: a LPX Protocol, a NDAS Bus, and a NDAS Miniport controller. Unique hardware IDs and access keys are used for mounting the drives or creating RAID arrays etc. Once you mount the drive(s), you can backup up your files to it like a regular hard drive.

There are also the so-called NAS (Network Attached Storage) devices made by manufacturers like D-Link, Netgear, Linksys, Airlink 101 etc. These plug into your network and can be assigned IP addresses. Some can even be managed remotely. If you are adventurous, you can create your own backup server with FreeNAS, an open source software that enables you to convert a regular PC into a backup device.

However you decide to go about it, it is always a good thing to make regular backups of your critical data. It is no fun to come to the office one day and see the dreaded “hard disk not found” error and having to scramble to find a data recovery expert. And those folks are not cheap.