Lost data can mean lost revenue, lost time, lost business partners, and — in extreme cases — a lost business. Ensuring that critical data is always safe, available, and secure requires a comprehensive data resiliency strategy.
Almost all businesses have critical data that needs to be protected in multiple ways, says Jamie Mackay, head of product solution architecture at NCC Group, one of the world’s largest security consultancies. “If data is lost, it could result in the loss of revenue and an inability to run operations for a prolonged period of time.”
With cyberattacks growing almost exponentially, many enterprises are seeing their data resiliency plans — if they even exist — put to the test.“ [Organizations] need to protect personal information and intellectual property and ensure their data protection and recovery strategies will minimize downtime while meeting aggressive service-level objectives,” observes Arun Krishnamoorthy, global strategy lead for resiliency and security at Dell Technologies Services.
Protecting data has always been important, says John Schick, principal consultant with technology research and advisory firm ISG. “Adding data resiliency to traditional features that provide reliability, redundancy, and cybersecurity is the next step.”
Mackay sees three key data resilience threats: the inability to access data due to technology outages, ransomware attacks, and third-party supplier insolvency, such as a cloud data storage service suddenly shutting down.
Effective records management is an essential first step toward creating a data resiliency strategy, says Megan O’Hern, director of archives and information services at History Associates Incorporated, a team of historians, researchers, archivists, and collections managers who help organizations, including the National Parks Service, properly store, catalog, and manage their data.
Enterprises should take a holistic approach to understanding their data: how it’s gathered, how it’s used throughout the organization, and how it’s impacted by a lack of availability or corruption, Krishnamoorthy says. “This starts with creating a detailed map of business processes, applications, systems, and data,” he suggests.
Schick notes that there’s no industry-standard checklist for ensuring data resiliency, but advises separating critical and non-critical data, storing data in separate locations, logging transactions that change critical data, and using tools and processes to quickly recover corrupted or lost data.
Enterprises should retain data only for as long as it’s needed, O’Hern suggests. “We eliminate risk when we purge … which means it no longer exists to be held hostage.”
Krishnamoorthy notes that it’s also important to understand how applications, automated tools and systems, and IT staff interact with enterprise data from manageability, serviceability, and security perspectives. “With this understanding, organizations can then go about aligning processes and technologies with business needs, ultimately reaching the goal of providing data resiliency across the business,” he says.
O’Hern observes that many organizations hold the misguided belief that paper document digitization is the same as preservation. “Digitization is where you start, but preservation happens after you get those digital records, especially if you are destroying the paper copy.” She observes that people have been curating paper documents for at least a millennium. Digital records, meanwhile, have only been possible for less than 50 years. In many ways it’s still a new concept. “I want all organizations to understand that just because your files are digitized does not mean you are done.”
Planning and Deployment
A data resiliency plan should be specific, yet agile, involving the appropriate people, processes, and technologies. “Incorporate input and requirements from leaders across business, legal, security, governance, risk management, compliance, and IT teams to ensure it is holistic,” Krishnamoorthy says. He also recommends regular staff security training targeted at improving cybersecurity risk awareness.
O’Hern advises enterprises that haven’t yet adopted a resiliency strategy to organize their data and begin planning immediately. “Get the inventory together; get it properly stored, tagged, and preserved,” she says. “Understand who needs to access it, and what privileges they should have.”
When possible, the actual content creators should be involved in the planning. “They need to know what the standards for data security are,” O’Hern says. They also should understand, and be trained in, data security and records management. Files and records should always be in the right file format, saved consistently, and labeled uniformly, she adds.
Cyberattacks, technical failures, and natural events can all lead to data loss disruptions. Krishnamoorthy advises enterprises to think proactively about their data resiliency game plan, as well as the resources that will be needed to return operations to normal after a downtime event. “When approached strategically, data resiliency can be a competitive advantage for companies that have prepared to anticipate and align to evolving risks and market conditions,” he states.
For maximum overall effectiveness, data resiliency should be coupled with related processes, such as zero-trust security, malware detection, and periodic recovery testing, says ISG’s Schick.
What to Read Next:
Quick Study: Cyber Resiliency and Risk
Building Confidence with Data Resilience