The impact of data loss on a small business or startup is more significant owing to the limited nature of their data storage infrastructure. Larger businesses probably have robust server rooms with sophisticated and highly secured servers, and a remote solution to boot, whereas an entrepreneur probably poured all their resources towards acquisition of the database, and possibly the most basic backup plan.
Some small businesses know nothing of creating backups or disaster recovery solutions, especially since they might not have the expertise required on-staff to handle data loss resulting from malicious breaches or disasters of any other kind. So then, how can you, as a small business owner, protect your business from unwarranted breaches?
- Restricted access
All database users should be given permission to access the database on a need-to-know basis. Transaction logs for all operations by different users should also be maintained and backed up on a regular basis, preferably every day or two. Many organizations make the administrator function universal, especially in small organizations where the entrepreneur personally knows and develops close relations with most employees.
The administrative rights should be limited to the DBA only; everyone else should only be allowed access to the extent that is necessary for the jobs. This includes everyone in the IT department as well. Upfront controls can help limit instances of breaches as well as protect the privacy of sensitive customer and employee information from prying eyes.
The same DBA or staff member responsible for the database should be responsible for all copies, which should also have restricted access. Backup files should be stored using encryption, so that any surreptitious access does not bear fruit since keys for decryption are with the DBA, and possibly the entrepreneur.
- Database inventory
It’s okay to control access from this point on, but to ensure complete security, it’s important to carry out an inventory of the database files, copies and backups, either partially or entirely, which are already in existence. A single production database can conceal multiple copies within it. Larger organizations carry out database inventory counts using automated tools which also ensure that data in copies is appropriately encrypted.
For smaller organizations, this may not be necessary as the DBA and entrepreneur will know where sensitive information is stored.
- Secure current databases
From the list of inventoried databases above, attend to the databases that are at highest risk. More often than not, there will be data that can be removed, masked, encrypted etc. in order to minimize vulnerability and simplify the process of security improvement. At this point, known holes can be filled up.
Database security checks in smaller organizations should be carried out quarterly, and become more frequent as the database and organization grows. Disable user accounts that are inactive/no longer in use to ensure that your vital information does not fall prey to the wiles of disgruntled/greedy former employees.
- Plan for retirement
There may be need to get rid of a database. Like everything else, it does have a limited useful life. When this happens, the database should be written out using XML format and have tags included, which make future searches or retention needs easier to carry out. The XML files should also be appropriately encrypted backed up and access to them restricted.