Survivor's Guide to 2006: Priority No. 1: Data Protection

Why is data security so high on IT's 2006 priority list? Because so many companies were burned--or flooded, or robbed--in 2005. About 16 percent of enterprises experienced some sort of business-interrupting disaster during the year, according to a study of more than 1,200 businesses conducted by AT&T and the International Association of Emergency Managers. Sixteen percent of those enterprises lost $100,000 to $500,000 per day, and 26 percent admit they still don't know how much the disasters cost their companies.

"These [natural disasters] have helped bolster the case for building data centers in separate regions of the country, so data can be synchronized away from the impact of a hurricane or an earthquake," says William Kyrouz, network manager at Goodwin Procter, a large legal firm.

High-profile data losses in 2005, such as those experienced by Bank of America and CitiGroup, have generated an impetus for data-protection projects in 2006. "We are redefining our application data elements and assessing the risk level of each to match it with potential data security solutions and costs," says Michael McKenna, manager of internal audits at Rothstein Kass & Co., a nationwide accounting firm.

And some IT managers are still fighting for funding for data security and recovery projects. "My management is resisting--they keep talking about 'maximizing shareholder value,'" la-ments a manager of network design at a large regional bank who asked not to be identified. "After someone has infiltrated and stolen all our data, where the heck do they think shareholders will take their money? Is it going to take something as catastrophic as a breach of customer data to get any measures in place?"

Like the bank, many enterprises are playing catch-up when it comes to data protection, according to the AT&T/IAEM study. More than 40 percent of companies surveyed have not established redundant servers or backup sites for their critical business functions, and nearly one third have not implemented basic security technology, such as firewalls, intrusion detection or password authentication. Eighteen percent plan to take action in the coming year, and 17 percent still have no plan in place. These companies "are taking an unnecessary gamble with their futures," says Elizabeth Armstrong, executive director of the IAEM.

However, 47 percent of Network Computing survey respondents say they have intrusion-detection technology in place, and 38 percent are deploying it now or plan to deploy it in 2006.

One of the big questions for IT in 2006 is not how much to spend on data protection, but which threat to tackle first. For most IT departments, the events of 2005 help to shape the strategy: If your business has a presence on the Gulf Coast, disaster recovery is probably top of mind. If you're in the financial industry, protection of customer records and other sensitive data likely draws the most attention. Public companies are worried about controlling data access to comply with Sarbanes-Oxley and SEC rules. And everybody--but everybody--is nervous about new worms and viruses.

"I see malware remaining the No. 1 threat because it has so many vectors--it can come in over e-mail, wireless systems or visitors' machines," says Kyrouz at Goodwin Procter. In the coming year, "we'll be constantly on the lookout for new ways to combat malware, including proxy servers, improved network access control, specialized antivirus software and tighter control of Windows permissions."And Kyrouz isn't alone. Some 44 percent of respondents to the Network Computing survey say they expect their enterprises to experience at least some downtime due to worms and viruses in the coming year, despite heightened efforts to prevent it. "We must be able to receive e-mail from all around the world, and we are thus exposed to potential infection from every possible source," says an IT manager for a large nonprofit.

Prepare for the Worst

Although worms, viruses and other malware remain the top concerns for most IT organizations, the visceral images of the natural disasters of 2005 are virtually impossible to forget. Even IT managers who are satisfied with their disaster-recovery plans say their managers are forcing them to take a closer look at their strategies. "The disasters of this year have my senior management extremely nervous regarding our in-place plans for recovery," says one.

In most cases, IT pros are reassessing their provisions and schedules for deploying off-site backup systems and recovery sites. Thirty-six percent of Network Computing survey respondents say they are planning data-center renovations in 2006, and many tell us those renovations will include off-site redundancy. Fifty-seven percent of respondents to the AT&T/IAEM study say they have already established redundant sites, and another 18 percent plan to do so this year.

"With Mother Earth seemingly fighting back over the last year, I can only imagine that natural disasters would always be in the thoughts of those tasked with protecting and securing data," says the bank's network design manager. "What worries me are the people who are complacent about it."Tim Wilson is Network Computing's editor, business technology. His background includes four years as an IT industry analyst and more than 14 years as a journalist specializing in networking technology. Write to him at [email protected].