Securing information

October 2011 Information Security

Regardless of the size of your company or the volume of data, paper or video footage you accumulate, it would be irresponsible not to have suitable backup and archiving methodologies in place. Hi-Tech Security Solutions spoke to ContinuitySA, Metrofile and StorVault Africa about the ins and outs of these essential services.

Let us begin by differentiating between data backups and data archiving. Data backups are for disaster recovery or restoring lost or corrupted files. Speed of restoration is crucial. Data archives are for discovery and are used to store data that is no longer in day-to-day use, but must be retained. Here speed is not the issue, but the ability to expedite easy searches is of vital importance.

So the million-dollar question is – can companies backup and archive data on-site or should they move these functions offsite? Two critical factors come to the fore – space considerations and risk mitigation. Office floor space comes at a premium and, since the volume of data increases exponentially with the number of years a business has been in operation, it makes good business sense to outsource your storage needs.

As far as risk mitigation is concerned, are you really equipped to ensure the complete safekeeping of valuable data? Is environmentally sensitive data, documentation and footage stored in a humidity and temperature controlled room at your facilities? Is your building sufficiently secure to ensure complete protection of records and backups?

“Hurricanes, floods, tornadoes, earthquakes and other natural disasters, as well as violent strikes and protests, can threaten the viability of your businesses if you are not prepared. The best way to thwart this is to routinely back-up to an offsite data centre. That data centre should be both adequately remote, professionally managed and certified secure so you are absolutely certain of recovering from a disaster,” said StorVault Africa’s country manager, Derek Friend.

Bob Eedes, GM, information solutions at Metrofile, said that as the volume of data creation has proliferated over the years, so the need to store data offline has become more critical to save space. “There has been an increasing predilection of keeping everything online and backing it up accordingly, on a regular basis. With regard to archiving data, pragmatists would argue that the ideal time to do this would be at the financial year-end so that, from a SARS regulatory perspective, you would have a financial snapshot of the business at that point.”

“If you back up data more frequently, you reduce the amount of potential lost data and allow users to resume business faster. Determining how often you need to do this in order to retain crucial data is referred to as your recovery point objective (RPO). It makes sense to consider a solution that automates backups according to the schedule you require,” said Friend.

Friend suggests sorting data into three categories. “The first is important data, but you will be satisfied if it takes longer than 48 hours to recover it. The second category is data you will definitely need within 25 to 48 hours. Third is data you need in less than 24 hours. This is referred to as the time to return-to-operations (RTO).”

What is your core business?

“Keeping your business successful means doing more with less. Your priorities are sales and service, not the details of data management. This means you may want to outsource functions, such as data protection and management, which do not directly add value to your business,” said Friend.

“However, if you hand over management of your data protection to a local consultant, ensure he has the tools to set up, monitor and administer everything about your data backup and recovery from his remote location,” he cautioned.

Eedes agreed that often data storage becomes an inefficient management function within an organisation. “It is often delegated to a low level employee who is situated in the lowest level of the building (often the basement). This employee generally is unaware of the critical nature of the data and is oftentimes unable to administer correct procedures for safe storage and easy retrieval. This is where offsite storage comes into its own. With predetermined retention period protocols in place, your consultant will automatically inform you when this retention period is due to expire and discuss the various options open to you at that point. These could include extending the retention period or destroying the data.”

How long is long enough?

Justin Lord is the GM for hosting services at ContinuitySA, a company that works closely with clients to ensure the protection of critical data through suitable storage methodologies. “We discuss the logistics around retention policies and all video footage is stored on hard disks for a period of 60 to 90 days. If there is an incident, this provides a large enough timeframe for data retrieval. The client can then choose to backup this data to tape and we can then store it for a period of 12 to 24 months. However, financial institutions require data and footage to be retained for periods of seven to 14 years.”

Justin Lord
Justin Lord

Eedes said that in South Africa we have a mix of First World and Third World practices. “Therefore, while much of the data can be stored electronically by scanning it to disk or automatic transfer in the case of electronic data, there will still be a need for the storage of paper records in the foreseeable future.”

How does it work?

Eedes explained that one of the options available for backing-up electronic data is to send it online to a storage platform where, when transmitted, it is encrypted and undergoes, for example, delta blocking to reduce its physical size. “This is part of the technology that ensures that the offsite data is a complete and accurate copy of the original.”

Eedes said that video footage can be stored on an external hard drive and collected for secure off-site storage on a rotational basis. “At the end of this period the external hard drive will be delivered to the client to continue the backup cycle, as required. By taking responsibility for the collection and delivery away from the client, the client is free to continue with their core business functions. A positive spin-off is that this scheduled cycle instils discipline in the client environment and when the client is aware that rotation is about to take place, he is prompted to ensure that backups are completed and up to date which further reduces the risk of losing crucial data.”

Due diligence

Eedes said that governance issues such as the King III Report and the Companies Act need to be considered when storing data. “These outline the duties of the responsible officers regarding due diligence in ensuring records are accessible to the right (read ‘restricted’) people and are kept in an appropriate environment.” Friend said that it is important to ensure that your backups are secure and comply with regulations like end-to-end encryption and that the data centres are suitably certified. “Look for a solution that encrypts your data during transmission and in storage. Get a vendor who moves your backups to an offsite data centre that is SAS 70 Level II certified. If you need to comply with regulations such as SOX, GLBA, or HIPPA – and who does not anymore – make sure the vendor you select helps you conform to your industry-specific requirements.”

Apart from the obvious risk mitigation of data subjected to disastrous conditions or the loss of data due to IT systems crashing, and the desirable reduction in physical storage footprint, one should also consider the time and money saved in the medium to long term by storing data offsite with a reputable company. “If you consider that the average employee spends 30% of their time looking for information, does it not make good financial sense to consider placing your critical data in the hands of people who specialise in data risk mitigation?” Eedes concluded.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
From QR code to compromise
Information Security News & Events
A new attack vector involves threat actors using fraudulent QR codes emailed in PDF attachments to bypass companies' phishing security measures by requiring users to scan the code with their mobile phones.

Read more...
Organisations fear AI-driven cyberattacks, but lack key defences
Kaspersky Information Security News & Events Training & Education
A recent Kaspersky study reveals that businesses are increasingly worried about the growing use of artificial intelligence in cyberattacks, with 56% of surveyed companies in South Africa reporting a rise in cyber incidents over the past year.

Read more...
Vodacom Business unveils new cybersecurity report
Information Security IoT & Automation
Cybersecurity as an Imperative for Growth offers insights into the state of cybersecurity in South Africa, the importance of security frameworks in digital resilience and the latest attack methods adopted by cyberattackers.

Read more...
Smart surveillance and cyber resilience
Axis Communications SA Surveillance Information Security Government and Parastatal (Industry) Facilities & Building Management
South Africa’s critical infrastructure sector has to step up its game regarding cybersecurity and the evolving risk landscape. The sector has become a prime target for cybercriminals on top of physical threat actors, and the consequences of an incident can be far-reaching.

Read more...
NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
Know who’s spying on you
Kaspersky Information Security Products & Solutions
According to the latest State of Stalkerware report, 40% of the people surveyed worldwide stated they have experienced stalking or suspect they are being spied on. A solution for Android is now available.

Read more...
Cybersecurity needs 4,7 million professionals
Information Security
Despite all the efforts organisations worldwide put into preventing cyberattacks, global cybercrime has snowballed to $9,2 trillion in 2024 and is expected to grow by another 70% to $15,6 trillion by the end of a decade.

Read more...
Autonomous healing systems are the future
Infrastructure Information Security AI & Data Analytics
Autonomous healing software, an emerging technology, is gaining traction for its potential to transform how organisations manage software maintenance, security, and system performance.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...