April 22, 2008: someone lifted a Bank of Ireland laptop that held sensitive information for 10,000 account holders. April 17, 2008: a noteook belonging to the Connecticut State Universities System went missing, compromising data on 3,500 students. And, perhaps most notoriously: on April 24, a Mexican press member swiped BlackBerrys belonging to White House staff members, who left the devices unattended while in a meeting.
It sounds like the sky is falling, but enterprises worldwide deal with data-loss scenarios daily. According to Carsten Brinkschulte, CEO of backup services vendor Synchronica, the United Kingdom's Metropolitan Police found in 2006 that more than 10,000 cell phones are stolen monthly in London, and another 10,000 mobile devices languish forgotten in the backseats of the city's taxicabs.
"Lost laptops are usually the result of forgetfulness, or the theft of the physical device is for its value," says Chris Winter, director of product management for SonicWALL, an Internet security solutions provider. "Only in a small number of cases are laptops targeted for their actual data content."
Indeed, devices are replaceable; it's the data that's valued most.
In an increasingly mobile world, more employees are using wireless devices to store critical data. If the device isn't regularly connected to the corporate network for backups, that data goes unprotected for a long time, says Winter. Even worse, if a missing smartphone lacked a backup solution, it's nearly impossible to recover information that was stored solely on the device, says Brinkschulte. For an employee who keeps all business contacts in a device's phonebook, it may take many months to rebuild that business network, seriously impacting the worker's productivity.
Gartner Research estimates that an enterprise spends approximately $6,000 to replace and configure a single notebook and restore the data recovered from backups.
"Security policies, and employee support of them, vary a lot from company to company, and indeed, from industry to industry," says Brinkschulte. "Many enterprises are becoming aware of the importance of sufficiently protecting data held on mobile devices, and are putting in place solutions to deal with this. For employees, if the solutions and policies are not intuitive and disrupt their daily duties, there may well be issues with these being properly followed."
One traditional method of backing up data on a handset is via direct cable connection to a desktop computer or notebook. For highly mobile professionals, however, this isn't possible on a daily basis, if at all, Brinkschulte explains.
So what's a company to do when notified that a mobile device is M.I.A.? Damage control should be the first priority; risk-analyze the content on the device and identify its potential for misuse and abuse. If the data is deemed critical, remote synchronization is possible if the device is still powered up, ensuring that the device's data has been backed up as recently as possible.
Ward Pyles, security analyst for Southern Company -- one of the largest power suppliers in the U.S. -- says one problem plaguing the data recovery field is the ability to handle different smartphone platforms. "These days, we're dealing with Windows Mobile phones, BlackBerrys, even the iPhone. We need a solution to fit as many of [these platforms] as possible," he says.
The easiest way to back up data is to do a data dump or make an image of that media, using a software program such as Logicube. This kind of software enables a media-to-disk copy of data while also authenticating it. "The average company doesn't need full forensic capabilities," Pyles says.
The biggest issue in the data recovery world is validating that backups are successful, adds Pyles. Smaller enterprises that may not have extensive I.T. resources are most likely to suffer from invalid backups. The problem most often is that the image gets corrupted during the backup process, or the desired data is somehow missing, which can be very problematic if the enterprise falls under industry regulations such as Sarbanes-Oxley. "Companies need a backup plan even for backups," Pyles says.
The problem with invalid backups isn't with the backup software itself, but with the process involved with backing up data. "If you don't test your backups, you don't know if it will work when you need it to work," adds Pyles.
The Information Technology Association of America reports that 80% of SMBs lack adequate data protection.
That said, backing up data on a handset via VPN is enormously data intensive and simply not feasible for most enterprises. It can involve as much as 30 GB of data and run up to 30 minutes, which drains the battery.
Synchronica's Mobile Backup solution employs a Web-based interface that workers can use to manage backed up data. It leverages over-the-air configuration, eliminating manual setup.
SonicWALL's Continuous Data Protection solution backs up information in online storage each time data is created or modified. Its backups are performed each time a user connects to the corporate network.
Pyles sees virtualization and application presentation as the answer to the data backup and recovery dilemma in the future. Because working through applications on a presentation server is essentially computing "in the cloud," it's easier to organize, protect and control your data, explains Pyles.
Southern uses many different types of backup software and has even developed its own internal solutions. "Depending on what we're backing up, we use the right solution [for the situation]," explains Pyles. While it's difficult to determine the impact of data loss on an enterprise, he says, "if you have the proper business continuity plan in place, there shouldn't be a major problem."
Southern's field employees travel with Panasonic Toughbook laptops in their trucks and, for a while, had problems with miscreants burglarizing the vehicles and taking the devices. For this reason, the company no longer stores data locally on the devices.
"Let's not rely on having to recover data," says Pyles. "Let's ensure that we have a backup."