It’s appropriate, I suppose, to think of Quest’s list of 10 ways to boost security as layers: Strategy and guiding principles first, then infrastructure basics you may not have considered much. And now a couple of layers that address some of what are sure to rank among 2012’s imminent threats …

#5 Deploy computer security incident response capabilities to better address advanced persistent threats. 

Too often, attacks and breaches take weeks, months, and even years to be uncovered.  According to Verizon’s 2011 Data Breach Investigations Report (which includes information from the U.S. Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s information), 38% of data breaches aren’t discovered for weeks, and 36% aren’t discovered for months.

More...

The thing to remember concerning what you hear about data breaches is that you’re hearing only about what gets reported — and plenty of data breaches never get reported.

Even so, the numbers we do have are plenty scary. A study on data breaches — 2010 Annual Study: U.S. Cost of a Data Breach, published last March — conducted for Symantec by the Ponemon Institute tells us that in 2010 (the most recent info we have), the average data breach cost $7.2 million, up from $6.6 million in 2009. 

More...

Continuing with my views of backup/recovery best practices, I offer up # 6 through #9:

#6 Back up your data locally as well as remotely.

Data restores usually are faster from a local backup source than a remote one, especially for data that you recover frequently.

More...

Our Chief Technical Officer, Mike Dillon, estimates that the number of infected sites is growing by 20% to 25% a year. “If your company is shifting more toward cloud services and hasn’t addressed security, you will be attacked,” he says.

So here are the (non-technical) questions you need to ask and get answered to protect your business:

More...

It’s easy to tumble backwards into information security, to let yourself get sidetracked into arcane, hard-to-follow discussions about the innards of technologies and products when in fact you need to be thinking through higher-level strategy and policy.

If, for instance, you don’t actually know yet whether your business would benefit from using encryption, listening to the sales pitches of competing encryption product vendors is a waste of time.

So start with straightforward non-technical questions that your IT people should answer in a straightforward, non-technical way. When they backslide into techno-babble make them translate (they can use the practice).

1. What data is business critical? What data is sensitive? Who ‘owns’ or has access to our business-critical data? Our sensitive data?
2. What sort of assurances of confidentiality and integrity do we need to provide for each type of data?
3. How long do we want to retain data?
4. How do we want to control data access and permissions?
5. How do we want to authenticate users?
6. What kind of security training should we provide employees?

You’ll also want to pose questions about the security of your information infrastructure as well as how to cope with cloud computing and social networks. Check my next post for those 9 questions.

It happened during a stormy Wednesday morning commute. A driver lost control of his car and caused eight utility poles to fall. The power went out, the road was blocked by live wires and downed transformers, and everyone already in our offices got trapped in the building.

So we began to execute our disaster recovery plan. Initially, battery and generator backup provided phone and Internet capability. We utilized resources at several other locations to function until we got the all-clear to evacuate the building.

That’s when our disaster recovery efforts began in full — and by three o’clock that afternoon, we had everyone out of the building, the facility shut down, and we were operating completely remotely, with some of our folks at our McClellan Business Resumption Center and others working from home. Customer service calls, billing, email, phones — everything — was operational.

Why did it work out so well for us? One reason is our ongoing DR planning. Another reason: We conduct quarterly disaster recovery drills. As our CTO, Mike Dillon, says, every drill we do teaches us something.

We learned first-hand that even little disasters can have big impacts. And they can teach you things, too. For instance, we forgot about feeding the fish, which won’t happen again.

Nobody stays in business long if their business-critical data and apps are lost. So pardon me if I sound like my replay button got stuck, but I’ll say it again: make sure your critical data and apps are replicated to a secure remote environment that’s always accessible from anywhere.

You’re at least halfway there if you’re using a cloud-based backup replication service — but, of course, you need to make sure you’re dealing with a provider with a secure, scalable, fail-safe environment and plenty of flexibility when it comes to service options.

Combining virtualized data replication, secure data storage, and disaster recovery capabilities in a resilient cloud environment makes data recovery smoother and less costly, since data replicas and data backups can be managed with the same software. Your provider should be able to ensure the safety, security, and integrity of your data whether it’s replicated to a shared environment or a discrete, dedicated one.

And don’t forget about what you’ll need to communicate with employees and customers. Using cellphones, web-based email, instant messaging, Facebook, etc., can enable you to stay in touch with employees. To interact with customers when your facilities are compromised, your best bet is hosted voice-over-IP (VoIP), which allows your office phones to easily be forwarded to other numbers.

So here you are with a solid How-We’ll-Stay-In-Business-Plan. Time to relax, right?

Well, not quite — although this is the point at which many stop paying attention to their disruption-avoidance plan.

Step 3 to mastering business IT disruption requires that you test your plan often. This is essential because change has a way of sneaking up on organizations, and those changes can upend your carefully laid plan to overcome disruptions. Fortunately, the right service provider will include regular testing in the price of your service.

Step 4 to mastering business IT disruption — regularly conduct a comprehensive plan review — is based on the same principle of keeping an eye on change.

At least once a year, you should review your plan top to bottom and adapt it to reflect changes in your organization. This involves 

1. Updating your data backup/replication policies to incorporate changes and then testing for backup/recovery efficiency and accuracy, 
2. Testing/verifying the functionality of your hardware and applications, and 
3. Testing/verifying the effectiveness of your recovery protocols and processes in the face of business changes.

The right service provider can help you with expert analysis, testing, and verification capabilities that ensure your IT infrastructure continues to be sufficiently resilient.