Employees are the lifeblood of any business, and the data they produce is critical to productivity. Unfortunately, during recent uncertain economic times, businesses of all sizes across America have laid off hundreds of thousands of employees. Yet when any employees leave during turnover, important data can be lost or forgotten. Such “orphaned data” can consist of any business information, application or intellectual property that has become unrecoverable because it was left on no-longer-accessible edge devices like laptops that were never backed up, or was simply never transferred to a backup-accessible server.
In times of workforce turnover, organizations need to retain mission-critical data to keep remaining business teams productive. Continued productivity depends on seamlessly retaining every team member’s intellectual property, such as prospect lists, business plans, research or financials, as well as withholding it from unauthorized disclosure. In order to retain this crucial intellectual property, organizations needs to be able to enforce policy to capture and retain any orphaned data.
To safeguard against orphaned data, businesses should take steps to (1) prevent data from being unintentionally orphaned on distributed edge devices; (2) established centralized control over retaining all potentially orphaned data; and (3) deploy technology that is able to reliably, flexibly, and easily recover that data under any circumstances.
Preventing Orphaned Data
The first step in prevention is identifying potential repositories for orphaned data. In order to course-correct business continuity planning and establish an effective approach for post-layoff data re-integration, IT must factor in mobile and distributed data. IT should expect that a percentage of the collapsed employee hierarchy will reflect remote-branch employees, at-home teleworkers, mobile employees, third-party contractors and partners.
Over half of all business data now resides on laptops and other distributed devices. These devices are often in transit or located at the edge of the network or beyond at distant offices, partner sites, or employees’ homes, and not under the constant watch or control of IT. Even in the best circumstances, data can be orphaned if these devices are lost, stolen, broken, corrupted, or simply never backed up.
During workforce turnover, even if IT manages to get distributed devices back, disk drives are often pulled, stacked on a shelf or in a drawer, and forgotten, reformatted or recycled. IT should establish an inventory of distributed devices that likely contain mission-critical data and applications before any workforce turnover has taken place, while it’s still not too late to set up an adequate recovery process. Defining an inventory of distributed devices can help identify potentially orphaned data and ensure that data is regularly and thoroughly backed up.
To prevent the backup of forbidden or unauthorized data and applications, such as peer-to-peer (P2P) applications running streaming MP3 files, IT should eliminate them from being on the network in the first place, through the use of content filtering and application firewall technologies.
Measures should also be taken to prevent data being unrecoverable due to data gaps and data leakage as well. Data gaps are especially problematic for businesses with legacy tape or CD-ROM systems. Such organizations are often lucky to capture a reliable backup of their central server once a night. If they are really lucky, they might also back up shared folders from networked desktops that are actively connected to the server at that time.
However, even then, restoring the data is difficult and sometimes impossible. Once-a-night backups are inadequate for retaining minute-by-minute transactional data. Versions of any business-critical file should be retained every time it gets updated. Worse still, remote laptops and other mobile devices usually only make contact with a central server sporadically (and not during backups scheduled in the middle of the night), so data residing on these distributed devices frequently fail to get included in collective batch backups on legacy systems.
In times of corporate reorganization, data is not only prone to being lost, but also being leaked. It is not uncommon for employees to be unaware of corporate policy and for them to try to e-mail sensitive documents to themselves or other third parties without company authorization — and without any policy controls put in place to prevent it. This risk will increase when rumors swell about impending layoffs. Productivity tools like e-mail can actually become counterproductive when they are used to transmit business plans, company financials, product roadmaps and other confidential documents outside of the corporate network.
Controlling Orphaned Data
Human error is not only a leading cause of data loss; it is also a primary cause of failed backups. For too many companies large and small, the policy for centralized backup control is a faded note on the back door saying, “Remember to back up your PC files to the network before you go home.” A business owner might assume that data is getting manually backed up at the end of the workday by an employee who instead actually intends to rush off to pick up his or her kids at soccer practice.
Ultimately, backups are the responsibility of IT and should not be allowed to fail just because an end user forgets or ignores the need to transfer files manually. To centralize control back into the hands of IT management, backups should be driven by established IT policy and use technology that enforces backups to run automatically and transparently, without relying on the actions of individual device end-users. Such an automated solution must be able to back up every device housing business data, including servers, distributed desktops and mobile laptops, and so needs to be interoperable with all data-housing components distributed across the network.
As an effective policy to prevent orphaned data, the solution should enforce continual, multi-versioned backups whenever distributed, remote or mobile devices are connected to the network, even over dial-up or VPN (virtual private network) connections. Before and during workforce turnover, IT should also lock down potential leaks of sensitive data over corporate or private e-mail by applying content filtering and email security technologies
For back-ups of distributed devices to be of value in controlling orphan data, they also must be complete. Nearly all data recoveries are actually for single end-user files. A viable approach to controlling orphan data should enable end-users to maintain recovery of individual files without IT intervention to ensure a complete, ongoing device backup.
Even inactive backed-up data should only be purged based upon explicit need, and not automatically. Some Internet-based back-up solutions, for example, will automatically purge inactive data after calendar intervals, which can be catastrophic in certain cases, such as when an important quarterly report gets automatically purged after only thirty days.
While data storage has become more affordable, there is still no need to store duplicated data unnecessarily. For example, rather than backing up every full file, IT should only back up the delta of any information changed since the previous back-up.
Backup Is Not Enough
Legacy backup approaches are not enough. Backed-up data that can’t be accessed when it’s needed in order for business to be productive is effectively worthless. IT needs to employ reliable, flexible and easy options for recovering data — and recovering productivity — after layoffs.
Even successful backups have limited value unless the data can be recovered under any circumstances and with minimal burden on IT resources. Businesses should therefore deploy recovery technology and strategies that are reliable, flexible and easy.
For distributed organizations, turnovers might include closures of entire distributed work sites. Preemptive steps can be taken to ensure backups get replicated to secondary business-owned sites, hardened disaster recovery sites, third-party offsite portal services, or hybrid combinations (e.g., back up executive e-mail to a managed service provider [MSP] offsite, and back up all other data to a secondary business-owned site).
Businesses often deploy devices far beyond the intended — or supported — service lives of the hardware or drivers. During a major workforce turnover or corporate restructuring, data may need to be restored to new or larger device platforms, even to virtual environments. IT should confirm any bare metal recovery solutions include the capability to restore data, applications and operating systems to dissimilar hardware.
While all businesses should prepare for catastrophic data recovery, they must also weigh in factors of cost and complexity. Larger businesses struggle for optimal productivity from shrinking IT staff, and smaller businesses rarely even have a data recovery expert on site. Enabling user-directed restoration of their own individual files without administrative intervention can drastically reduce burdens on IT resources and lower recovery overhead costs.
Considerations Beyond Turnover
Workforce turnover is just one area to consider in data loss prevention. A comprehensive approach to orphaned data is essential for best operating practices. Natural disasters, a stolen laptop, or a user simply saving the wrong file version can all lead to lost data. Any lost data can be very bad for business.
Additionally, business owners can be liable under regulatory mandates to ensure that certain data is kept backed up and recoverable for auditing purposes. To establish best practices and simply provide peace of mind, IT should identify their exposure to potentially orphaned data and deploy centrally managed solutions that allow for reliable, flexible and easy data recovery.
Chris Winter is the director of CDP product management for SonicWALL with responsibility for the CDP backup and recovery product line.