Home Forums SQLServerCentral.com Editorials If or When? RE: If or When?

  • April 11, 2014 at 2:17 am

    #1705146

    In my humble opinion you should always prefer "when' over "if", that should be true for security as much as for recovery. With recovery the "when" scenario makes you practice bare metal restores to be prepared "when" disaster strikes, even "if" the changes are quite small that it will happen to you any time in the near future. In fact, you may be making backup copies of every data asset for years without a single occasion where you could not proceed without them.

    The same approach might become common for security breaches. You should take measures to minimize the risk, but also prepare for the event and set up proper procedures to act upon a breach. But the big difference with recovery is that it is not just a technical issue. For recovery you only need to convince the management that you need the resources (time being one of them) to be prepared, and the rest can be handled completely by the technical staff preferably without any interference of those non-technical-schooled managers. If you give us enough hardware, software and time, we'll ensure that everything can be recovered when disaster strikes. At least to a certain extend ...

    Security breaches require much broader attention. After putting a plug in the hole, you need to asses the risks of further attacks from hackers using the information they have collected about your technical infrastructure, like accounts and maybe even passwords. You might stumble upon a sieve instead of a single hole, and need additional measures to secure your data from a technical point of view. But there are so many other aspects involved, from communicating the effects to your customers up to changing the policies on access from mobile devices, or even hiring a specialist or ethical hacker to investigate how secure your data is actually.

    We can olny inform our managers of the threats and risks and of the available countermeasures, but unlike recovery getting the resources to do something about it is not enough. There are no 'set and forget' solutions, but every one should know what to do "when" a data breach has occured and all of a sudden valuable data has become public property. Never say "if" when it comes to security, just like you should never say "if" with recovery measures. Just hope (and pray) that all your preparations turn out to be superfluous for a very long time.