Imperative Data Backup Operations: Why Businesses Must Conduct Internal and External Audits
After your company has finished the laborious task of implementing a backup and disaster recovery plan and finding a Backup and disaster recovery vendor and product for your business, you might roll your eyes at the thought of having to then audit your security product provider to reduce the potential for a third party compromise to your data. Oh the Irony! Fact is: This type of thing happens more than we would like to admit. Sure, natural disasters and power outages have caused their share of nervous breakdowns, but more often than not, human error is at the root of a data breach.
Widget not in any sidebars
Case in point, The Army National Guard suffered a major data breach due to an employee error in 2015. A contract employee improperly handled a data transfer from one center over to a non-accredited center. CRN.com reported that the event exposed home addresses and even social security numbers of over 850,000 current and former members of the National Guard.
The breach offers us a reminder that any time humans are responsible for anything, errors are almost inevitable. This is why it’s important to take the extra steps– but don’t stop there– more and more businesses are becoming aware of the threat that external auditing services pose. This is forcing businesses to not only conduct in-house auditing but off-site as well. By implementing policies that it addresses all parties who have access to your data: security product providers, maintenance people, people who are there to help, but tend to trip over their own two feet, your data will be less prone to mishap. Fear not–there are several steps your business can take to protect your critical business systems.
First and foremost- make sure your data recovery service provider is ‘legit’. Make sure the provider carries enough insurance to cover even the most disastrous loss. Ensure that the vendor is liable for the appropriate risk related items.
“Limitation of liability provisions commonly limit damages to the total fees paid under the service agreement. However, if the incident affects all of your data, those fees may not cover everything,” explains M. Scott Koller, Counsel, with BakerHostetler Law Group, who recently spoke on the topic in an interview with Network World.
Make sure you understand the limits of your service vendor’s coverage, and asking for continuous updates on the companies wellness “wholeness” should be regularly addressed.
Next- use a single username across the entire third-party provider so that you can disable it and access across that firm when they are not using it. You may never expect the irony, that the very people you pay to protect your data, may be compromising it!
Another use for whitelists is by local area network security. Many network admins set up MAC address whitelists, or a MAC address filter, to control who is allowed on their networks. Limit remote access to a set of approved, whitelisted IP addresses within your organization and disable the list when not in use.
Another very effective option apart from whitelisting access to your site or network, you could permit and provide remote access for external service providers only on demand. This will allow YOUR IT to automatically disable these tools using time-based and other rule sets.