Main Ways to Prevent Data Loss

Data loss is crippling for any business, especially in the age of big data where companies rely on digital information to refine their marketing, reach out to potential customers, and process transactions. Reducing the risk of data loss is an essential part of a data management strategy.

The first goal should be to prevent data loss. There are many reasons that can lead to data loss. A few of them are listed below:

1) Hard disk errors

2) Accidental deletion (user error)

3) Computer viruses and malware infections

4) Theft of laptops

5) Power cuts

6) Damage from spilled coffee or water; And so on.

However, should a loss occur, there are several best practices you can adopt to increase your chances of recovery.

Second, don’t put all of your storage eggs in the cloud basket. The cloud is vital for cost-effective storage, but it has some pitfalls that shouldn’t be ignored. There have been many examples of data loss due to an employee simply dropping their computer or hard drive, so talk to employees about best practices. SD cards are much more fragile and should never be used as a form of long-term storage.

Here’s an overview of the main ways you can protect your data against loss and unauthorized access.

Back up early and often

The single most important step in protecting your data from loss is to back it up regularly. How Often Should You Back Up? That depends: How much data can you afford to lose if your system crashes completely? A week of work? Work for a day? A Clockwork?

You can use the Windows built-in backup program (ntbackup.exe) to perform basic backups. You can use Wizard mode to simplify the backup and restore process, or you can manually configure the backup settings and schedule backup jobs to run automatically.

There are also plenty of third-party backup programs that can provide more advanced options. Whatever program you use, it is important to keep a copy of your backup off site in the event of a fire, tornado, or other natural disaster that could destroy your backup tapes or discs along with the original data.

Diversify your backups

You always want more than one backup system. The general rule is 3-2-1. You should have 3 backups of everything very important. It must be backed up in at least two different formats, such as in the cloud and on a hard drive. There should always be a remote backup in case there is any damage to your physical office.

Use file and share level security

To keep others out of your data, the first step is to set permissions for the data files and folders. If you have data in network shares, you can set sharing permissions to control which user accounts can and cannot access files on the network. With Windows 2000 / XP, you do this by clicking the Permissions button on the Sharing tab of the file or folder’s properties window.

However, these share-level permissions do not apply to anyone using the local computer where the data is stored. If you are sharing your computer with someone else, you must use file-level permissions (also called NTFS permissions, as they are only available for files / folders stored on NTFS-formatted partitions). File-level permissions are set through the Security tab in the properties panel and are much more granular than share-level permissions.

In either case, you can set permissions for user accounts or groups, and allow or deny different levels of access, from read-only to full control.

Protect documents with a password

Many productivity applications, such as Microsoft Office applications and Adobe Acrobat, allow you to set passwords for individual documents. To open the document, you must enter the password. To password protect a document in Microsoft Word 2003, go to Tools | Options and click the Security tab. You may need a password to open the file and / or make changes. You can also set the type of encryption to be used.

Unfortunately, Microsoft’s password protection is relatively easy to crack. There are programs on the market designed to recover Office passwords, such as Elcomsoft’s Advanced Office Password Recovery (AOPR). This type of password protection, like a standard (non-deadbolt) on a door, will deter accidental potential intruders, but can be circumvented quite easily by a determined intruder with the right tools.

You can also use zip software such as WinZip or PKZip to compress and encrypt documents.

Use EFS encryption

Windows 2000, XP Pro and Server 2003 support the Encrypting File System (EFS). You can use this built-in certificate-based encryption method to protect individual files and folders stored on NTFS formatted partitions. Encrypting a file or folder is as easy as selecting a check box; just click the Advanced button on the General tab of the properties window. Note that you cannot use EFS encoding and NTFS compression at the same time.

EFS uses a combination of asymmetric and symmetric encryption for both security and performance. To encrypt files with EFS, a user must have an EFS certificate, which can be issued by a Windows CA or self-signed if there is no CA on the network. EFS files can be opened by the user whose account encrypted them or by a designated recovery agent. With Windows XP / 2003, but not with Windows 2000, you can also designate other user accounts that are authorized to access your EFS encrypted files.

Note that EFS is intended to protect data on the disk. If you send an EFS file over the network and someone uses a sniffer to capture the data packets, they can read the data in the files.

Use disk encryption

There are many third-party products available that allow you to encrypt an entire disk. Whole Disk Encryption locks the entire contents of a disk drive / partition and is transparent to the user. Data is automatically encrypted when written to the hard drive and automatically decrypted before being loaded into memory. Some of these programs can create invisible containers in a partition that act like a hidden disk on a disk. Other users see only the data on the “outer” disk.

Disk Encryption Products can be used to encrypt removable USB drives, flash drives, etc. Some allow the creation of a master password along with secondary passwords with lower privileges that you can give to other users. Examples include PGP Whole Disk Encryption and DriveCrypt, among many others.

Make use of a public key infrastructure

A public key infrastructure (PKI) is a system for managing public / private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certificate authority, either an internal one installed on a certificate server on your network or a public one, such as Verisign), certificate-based security is stronger.

You can protect data that you want to share with someone else by encrypting it with the public key of the intended recipient, which is available to everyone. The only person who can decrypt it is the holder of the private key corresponding to that public key.

Hide data with steganography

You can use a steganography program to hide data in other data. For example, you can hide a text message in a graphic JPG file or an MP3 music file, or even in another text file (although the latter is difficult because text files don’t contain much redundant data that can be replaced with hidden message). Steganography does not encrypt the message, so it is often used in conjunction with encryption software. The data is first encrypted and then hidden in another file with the steganography software.

Some steganographic techniques require the exchange of a secret key and others use public / private key cryptography. A popular example of steganography software is StegoMagic, a freeware download that encrypts and hides messages in .TXT, .WAV or BMP files.

Protect data on the go with IP security

Your data can be captured as it travels across the network by a hacker with sniffer software (also known as network surveillance or protocol analysis software). To protect your data in transit, you can use Internet Protocol Security (IPsec), but both the sending and receiving system must support it. Windows 2000 and later Microsoft operating systems have built-in support for IPsec. Applications do not need to be aware of IPsec because it operates at a lower level of the network model. Encapsulating Security Payload (ESP) is the protocol that IPsec uses to encrypt data for confidentiality. It can operate in tunnel mode, for gateway-to-gateway protection, or in transport mode, for end-to-end protection. To use IPsec in Windows, you have to create an IPsec policy and choose the authentication method and IP filters it will use. IPsec settings are configured through the TCP / IP Protocol Properties window, in the Options tab of Advanced TCP / IP Settings.

Secure wireless transmissions

Data you send over a wireless network is intercepted even more than data sent over an Ethernet network. Hackers do not need physical access to the network or its devices; Anyone with a portable computer with wireless functionality and a high gain antenna can capture data and / or access the network and access data stored there if the wireless access point is not configured securely.

You may only transmit or store data on wireless networks that use encryption, preferably Wi-Fi Protected Access (WPA), which is stronger than Wired Equivalent Protocol (WEP).

Use rights management to stay in control

If you need to send data to others, but are concerned about protecting it once it leaves your own system, you can use Windows Rights Management Services (RMS) to determine what recipients can do with it. For example, you can set permissions so that the recipient can read the Word document you sent, but cannot edit, copy or save it. You can prevent recipients from forwarding email messages that you send them and you can even set documents or messages to expire on a specific date / time so that the recipient cannot access them after that time.

To use RMS, you need a Windows Server 2003 server configured as an RMS server. Users need client software or an Internet Explorer plug-in to access the RMS protected documents. Users who are assigned rights also need to download a certificate from the RMS server.