The Importance of Uptime
Our dependency on computer networks for business transactions is greater today than it’s ever been. The prevalence of e-commerce websites, retail point-of-sale devices, inventory databases, and business email and Internet phone systems means businesses can quickly become paralyzed if users are unable to access the information they need, when they need it. Ensuring availability is the third and final component of the security triad.
The other two components of the triad, confidentiality and integrity, should not be given less priority; however, loss of availability is in many ways the greatest threat to many small and midsize businesses staying afloat.
In fact, two-thirds of small businesses say that their business is dependent on the Internet for its day-to-day operations, 38 percent characterize it as very dependent, and 67 percent say they have become more dependent on the Internet in the past 12 months, according to research from the National Cyber Security Alliance/Symantec.
What is data availability?
Information only has value if the right people can access it at the right times.
From your organization’s perspective, this means that when authorized parties need to access important data, they have the uninterrupted ability to access it. Likewise, if your business has customers who rely on online resources for information or to purchase goods and services, data availability means they are able to do that without frustrating delays.
So, having established what availability means, can we actually quantify it in terms of uptime and downtime? The amount of downtime—when information or online services are not available—will vary depending on what your priorities are. But, given that your business may be exclusively an online vendor or extremely dependent on connectivity to other online systems and resources, it may not be able to recover quickly from a short period of downtime—and in some cases, may not survive at all. In the industry, in terms of acceptable uptime, we talk about the principle of nines, with five nines (99.999% uptime) essentially being the “Holy Grail” of availability. That means you get a total downtime of approximately five minutes and 15 seconds per year with 99.999% uptime.
Threats to data availability
There are essentially three ways the information you or your customers need may not be available:
Denial of Service attack by a malicious third party
It is easy to think about loss of accessibility to resources or downtime when faced with natural disasters such as flood, fire or earthquakes, or when there’s human error, such as someone inadvertently pulling a power cord, or making the wrong temperature adjustment in a data center or data closet. But we also need to think about the impact of a growing trend that no business, regardless of type or size, should ignore: malicious security incidents. Just like natural disasters or human error, security incidents can have a negative impact on business, resulting in significant operational expenditure costs, lost revenues, decreased customer satisfaction and erosion in brand reputation. Such downtime not only can be costly; it could even lead to the failure of your business.
Denying access to information has become a common attack. Almost every week, you can find news about high-profile websites being taken down by DDoS (Distributed Denial of Service) attacks, where a vast amount of malicious traffic can be generated by one person using large numbers of compromised computers. The primary aim of DDoS attacks is to prevent network availability by saturating or choking the network connection or website resources with so much traffic that it renders it unusable.
We think about DDoS in terms of cyber warfare at grand scale, but the reality is that these attacks against businesses are increasingly being used for criminal purposes such as extortion, where businesses are threatened with a significant outage of services unless they pay a fee to prevent that. In many cases, the criminals have launched a short-term attack to demonstrate their capability and then sent an extortion demand. If faced with an extortion demand, you should immediately contact the FBI, and do not pay the extortion demand, as that only serves to fund further criminal activity.
How can I protect my data availability?
The first step to protecting your availability is understanding how much downtime you can afford without it seriously having an impact on the continued viability of your operations. What does that look like: one hour, one day, one week? Remember that calculating potential losses in sales is far easier than calculating the loss in reputation. There may also be significant costs to recover lost or missing data or to rebuild or repair lost equipment or facilities.
Backup is key. Regularly doing off-site backups can limit the damage caused by compromised hard drives or natural disasters. For highly critical information services, redundancy might be appropriate. If you have your own data center, having an off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce downtime.
Training is critical. Making sure your employees operate safely and responsibly significantly reduces the risk of downtime. According to the Ponemon Institute’s “Cost of Data Center Outages” report, human error accounted for almost a quarter of all outages in 2015.
Protect your network. Make sure your servers and network resources have the latest security updates and patches, and that you have adequate firewall protection. This will reduce the risk of those resources being exploited.
Think about a cloud-based solution. By hosting your critical resources in the cloud, you may be able to benefit from a broad, scalable, secure and redundant architecture. This is an increasingly popular and affordable option, and more and more critical services can be completely supported this way.
Make sure you have enough bandwidth. Some DDoS attacks may consume any and all bandwidth you have, but you still need to make sure you have enough to negate the impact of smaller-scale attacks.
Next time, I’ll be discussing the security risks related to IOT (the Internet of Things) and what you can do to better secure the growing number of devices that may be already connected to your network.