The natural upgrade cycle of IT hardware can be an opportunity to determine the value of data and how to increase its cyber protection.
When undertaking a cybersecurity strategy one of the early processes to undertake is to determine value. Value of the data that your company holds. If this data was lost, or was stolen could that value be recognised by a third party, or conversely could its loss have a detrimental financial impact on the business.
In my own small way, I was considering the value of data as I embarked on a recent data migration exercise to a variety of cloud based solutions. My reason for doing this, I must admit, was not primarily cyber security concerns, it was predicated on the natural hardware upgrade cycle that is business IT.
Did I need to invest in upgrading my small co-located server, that for years had provided online document storage, email services, a couple of web based apps and a backup solution, or had the time come to let it go? The choice was relatively easy – let it go – as everything could be easily migrated to online services, all charging the price per user per month charging model. But what about the data? I had a few TBs of data that I had amassed over my career, but did any of it hold value?
On first inspection I thought that keeping it all was the right decision, but did I really want to pay and secure old software archives that I hadn’t accessed for over a decade? Of course not. I started to search on files that hadn’t been accessed for 10 years, then 9, then 8 and started to remove them. Before I got too trigger happy, I was aware that depending on your business type there are legal requirements to hold data for a certain time, so documents of a financial and legal nature, irrespective of age, were kept. But it was quite easy to clear away GBs of old notes, of multiple iterations of documents, retaining just the final one, old email archives and much more. All the while using the mantra of ‘does this have value’, meaning do I want to pay to protect and secure this?, guiding my every mouse click.
As this process developed over the period of a few business days, I’d followed good governance and categorised and secured my data as local storage – on my device, but it was trickle synced to a cloud storage solution, online storage – where the bulk of my data was held, now down to a more manageable 400GB and then archiving data that required to be kept for legal reasons. This was done using relatively low costs DVD burning, which when stored in a small fireproof safe met my own self-inflicted requirements.
Alongside this the other services my server provided were migrated to online equivalents. Leaving me with data stored and services provided by the industry leading IT providers all of whom have best in class cyber security protection.
My server, which was a single point of failure, was now obsolete and subsequently decommissioned, and my business risk was mitigated as I spread this risk across multiple providers. The costs of using these solutions, compared to the purchasing and hosting costs of a new server over a three-year period were comparable but I had increased security and lowered risk. That is a win-win in anybody’s book.
The IT infrastructure and service provisions of many SMEs are incredibly similar to that of mine. They may hold data on on-site servers and data repositories, with little or no cyber security protection. They may store data locally, or on removable storage, but this data just builds up and up and up, rarely being audited for value. I would also confidently predict that in many SMEs the high value data is stored adjacent to the ‘day to day’ data, just protected by an access control mechanism, as opposed to being stored on a more secure service.
This is potentially why many SMEs are hesitant to implement a cyber security strategy, because it kicks off a chain of events that will require discussion on value, on storage strategies, on new service related business costs and more. But ultimately when you push through that pain the rewards of increased technical resilience, eliminating single points of failure and greater levels of security are hugely satisfying and they will also go a long way to meeting elements of the forthcoming GDPR legislation.
Would I have undertaken this process, clearing away over half of my data, purely for security reasons? Probably not, but the catalyst was that the technology I had been relying on had come to the end of its life, but that data hadn’t, it was still only half way through its life. So rather than just upgrading and carrying on, it was an opportunity to rethink how I worked, how I would work in the future and how I would now protect the data of mine that I perceived had the highest value.
Therefore, if you are a business owner or an SME, when you are advised that your hardware is due for an upgrade, rather than just signing the cheque and perpetuating the way you have always done things, use it as an opportunity for a rethink, a reengineering, a value discussion and an opportunity to mitigate your risk and significantly increase the cyber security protection of your data.