Listen to this article
It was the first and among the most far-reaching data back-up exercises in history. By order of King Ptolemy III (246BC-222BC) all travellers to Egypt had to surrender their books so that copies could be made and stored in his great library at Alexandria.
And then, sometime in the first century AD, those 700,000 scrolls recording the wisdom and literature of antiquity went up in flames – torched, historians say, accidentally by Julius Caesar, or on purpose either by a Christian emperor or a Muslim Caliph who didn’t like the nature of the data (impossible, of course, because the muslim faith was not founded until several centuries later).
Ah, if only Ptolemy’s magi could have thought forwards and invented virtual and remote storage systems ... But is virtual data any safer?
Back-up tapes are just as vulnerable to negligence or malice. Only recently a Canadian provincial authority auctioned off some old tapes which turned out to contain confidential health records. Last June, a box of tapes recording the account information of 3.9m US CitiFinancial customers vanished. Lost? Stolen? No one was sure. But that increased the number of Americans newly open to identity theft to 6m.
Running the back-up policy is a dull job and tends to be offloaded on to junior employees – the very people who are likely to be careless, unaware, or to have least to lose and the most to gain from bribery or coercion.
Outsourcing parts of the back-up lifecycle by using off-site storage adds more staff to the pool of potential targets for criminals who see data as a tradable currency, and one whose value can often be assessed at leisure, since the loss of back-ups is sometimes only discovered when a company searches for them after a week, or a month, or even a year.
And if a clever geek backs up the back-up on to his or her iPod, leaving the original behind, a massive theft may only come to light when victims of fraud start to yell.
Regulatory authorities around the world have woken up to the vulnerability of back-up tapes and other storage media. In 2003, California introduced legislation requiring the disclosure of events involving lost “people data”. Already there have been a number of embarrassing confessions. Similar legislation has been adopted by other states and is being considered by US Federal authorities and the European Union.
Regulatory pressure is going to increase, meaning that companies everywhere in the west will be legally obliged to publicise security failures that could tarnish their reputations beyond repair.
Data Managers need to get a grip on their back-up strategies to ameliorate these growing risks. A little effort now could avert huge costs and humiliation in the future.
Effective encryption methods are crucial, and need not impose significant overheads in human or computer hours – in fact, the compression which is usually a side-effect of encryption can reduce back-up times and the number of tapes required. In response to physical losses, some companies have stopped moving tapes and transmit their data over encrypted network (or even internet) links to remote sites.
Even then, they need to plan carefully to ensure, for example, that if the home base gets attacked with a virus or otherwise wiped, or, like the library at Alexandria, burns to the ground, it was not the only place the decryption key was stored.
In fact, Alexandria did have remote back-up of a kind: copies of thousands of the library’s scrolls were stored across the Mediterranean in a south Italian villa. Unfortunately, that was in the shadow of a mountain called Vesuvius.
■The author works for Pentest, an IT security company that provides independent security consultancy services in the UK, Europe and North America. www.pentest.co.uk