Data and System Security

Threats to Data

Computer software and data are valuable commodities. If a business loses its data, it may no long be able to contact its customers, or if it can, it might not be able to find all of the customer details. This could lead either to business being lost altogether, or a customer losing confidence in the company because they appear to be incompetent.

Threats to software and data fall into three different categories. These are loss due to:

Physical threats – i.e. damage to hardware
Software threats – i.e. loss caused by problems with programs
Human error or malicious damage

Physical Threats

Threat / Description / Prevention/Remedy

Theft

/ Your computers or other equipment is at risk from people who want to steal them, either to remove the data or use the parts.
e.g. competitors might want to steal confidential company data, or bank details might be stolen for fraudulent use / Physical security measures:
Door locks, bars on windows, door entry systems, swipe cards, alarms, etc.
Procedural measures:
Asking visitors to sign in and wear badges, challenging anyone who isn’t wearing, etc.
Natural disasters / Your data or systems are also at risk from natural disasters such as fires, floods, earthquakes, etc., that might cause your data to become corrupted, or the computers to stop working / Equipment could be stored in waterproof, etc., buildings
Backups can be stored in a fire-proof fire safe
Power failure / If the power fails, then you are not going to be able to operate your equipment, and data may be lost if it hasn’t yet been saved / For important equipment, such as file servers, you can attach a device called a UPS (un-interruptible power supply). This acts like a big battery and allows the computers to operate for a short while after the power fails, so that information can be saved and the computers closed down properly
Equipment failure / Computer equipment is generally very reliable, with the MTBFB (mean time between failures) often given in years, but it can still break down / For safety critical or mission critical computer systems (i.e. systems where you can’t carry on without them), we can use redundancy. This is where the system has several of some key parts, such as sensors or processors, in case one of them breaks down.

Software Threats

Threat / Description / Prevention/Remedy
Software errors / Sometimes, when programs are written, they contain errors that might cause data to be lost or corrupted / Software must be tested thoroughly before it is sold or given to the customer.
Software companies must produce a thorough test plan (just like the one you create for your projects) to try to think of everything the user could do to the system
Viruses / There are certain programs, called viruses, that deliberately spread and cause damage to data / Software measures:
Use virus checking software
Install a firewall to stop programs coming in from outside (e.g. the internet)
Procedural measures:
Restrict the use of things like the internet or floppy discs that might lead to the introduction of a virus

Human Threats

Threat / Description / Prevention/Remedy
Accidental deletion / Sometimes users delete files or data by accident / Files can be write-protected so that they can’t be deleted
Some programs display “Are you sure?” type message when you delete things
Lots of programs have an Undo facility
Windows has the Recycle Bin
Data entry errors / Data may be written down incorrectly, or keyed in wrongly / Validation
Verification

Taking regular backups and keeping them in a separate place will help you minimise effect of any of these threats. For example, if you have your computer stolen, you just need to get a new one and restore the old data onto the new machine.

Security Measures

Security of Buildings

There are several reasons why a company might need security systems to protect their premises:

To protect products that are under development from industrial spies
To protect valuable equipment
To prevent unauthorised access
Electronic systems are able to provide protection around the clock, seven days a week

Methods of security that a company might employ are:

To protect the outside of the premises using closed circuit television
To use electronic intruder alarms to warn of unauthorised access
To have electronic door entry systems that make the user either type in a number or "swipe" a card. This card may be a "smart" card (i.e. one containing a "chip"), or it may have a magnetic strip, like a credit card.
Entry systems are getting more advanced all the time. Electronic systems are now available that can recognise fingerprints or patterns on the cornea.

As well as the obvious benefits of protecting the security of the building from intruders, electronic security systems also have disadvantages:

They can be expensive to install
It is possible that the equipment might fail, causing a lapse in security
Potential intruders can tamper with the equipment

There may also be an impact on jobs (fewer security guards are needed?), and often people don't like to feel that the "Big Brother" cameras are watching them; they feel that their freedom is being taken away.

Security of Data

As well as stopping people entering the building and physically getting to it, sensitive data on computers is protected in the following ways:

Computers and networks have passwords to prevent unauthorised access. These passwords are only issued to people who are authorised to view the information that they protect.
Information can be coded, or encrypted. This is especially useful when transmitting information, for example via the Internet.
The Computer Misuse Act makes it an offence for anyone to access computer information without permission, or to deliberately damage that information (for example by introducing a virus). This means that "hacking" is illegal and can lead to imprisonment.

People whose information is held on computers are also protected by the Data Protection Act. This is summarised below and detailed in section 1.9 – The Legal Framework.

Computer data is not just at risk from malicious damage. There is also the possibility that an authorised might accidentally change or delete data, or that some sort of power or mechanical failure might cause information to be lost. Losing data can cause the company to lose time and money as it tries to recover that information. It can also make the company look bad in the eyes of customers, who might want to take their business elsewhere.

Backup and Recovery

To protect against this happening, a backup of the information should be made on a regular basis. Organisations usually have a backup policy, which says when and how often they should backup the data. Because the backups are normally not used, and therefore speed is not an issue, they are often made onto tapes or cartridges, which are relatively cheap but are slow to read and use serial access.

The more often the data changes, the more frequently it will need to be copied onto the backup tape. A school might backup the server every night, so that if anything happens to the server, we won't lose more than a day's work. If a school had a two week timetable, they might use 10 different tapes, one for each day of the school timetable, so that we can go back two weeks to a previous lesson.

A copy of the backup is usually taken off the site, or stored in a fire safe to ensure that if there is a disaster that affects the whole building, then the data remain safe.

Finally a company might have an uninterruptible power supply (UPS) connected to certain computers, e.g. the server. This acts like a battery and allows the computer to operate for a certain amount of time (normally about 20 minutes) should the power fail. This gives the operators time to close everything down properly to help prevent data being lost.

Legal Protection

As well as physical and other types of protection, there are also three laws that are in place to protect computer systems:

Data Protection Act (1998) / The Data Protection Act covers personal data held by companies – they must ensure that it is correct and up-to-date, and hold no more information than is necessary for their business. It also give the individual the right to look at, and correct, the information held about them.
Computer Misuse Act (1990) / This makes it an offence to gain unauthorised access to (i.e. “hack”) a computer system, or cause malicious damage, such as introducing viruses
Copyrights, Designs and Patents Act (1989) / This law makes it an offence to copy or steal software. Stealing software includes installing the same copy of a program on more than one computer without a licence