DATA LOSS AND BUSINESS RISK
Risk is a measure of potential economic loss, lack of return on an investment or
asset, or material injury. Another way to state this is that risk is a measure of
exposure to harm. Some common risks are material loss (for example, damaged
equipment, facilities, or products), risk to sales and revenue, lawsuits, project failure,
and market risk. Risk is associated not only with hard assets, such as building
or machinery, but also with revenue, customer loyalty, and investments in
projects.
How risk is measured depends on the assets deemed to be at risk. In computer security circles, risk is usually a measure of threats (the capability and willingness for malicious behavior), vulnerability (the holes in the system that can be exploited), and harm (the damage that could be done by a threat exploiting a vulnerability). No matter how you measure risk, the most important component is harm. Without harm, there is no risk.
Insurance, locked cabinets, background checks, and currency hedges are ways that companies seek to minimize harm to their assets and the profitability of the business. If one thinks of information as being a corporate asset, protecting the underlying data is necessary to ensure the value of the asset and prevent its loss. Ultimately, data protection is about mitigating business risk by reducing the ability of some threat to do harm to mission-critical data.
The Effect of Lost Data on Business Operations
Companies recognize that data loss represents a business risk. Even if a monetary
value is not assigned to the data, the negative effects on operations can be significant.
In many cases, corporate operations can be so adversely affected that companies
feel the need to mention the risk in regulatory filings and shareholder
reports.
Three types of damage may occur because of data loss. First, data may be unrecoverable. In this case, important business records may be lost forever or available only in hard-copy form. Any business process that is dependent on that data will now be considerably hindered. This is the worst form of damage that can occur.
Next, data may be recoverable but may require considerable time to restore. This scenario—the most likely—assumes that data is backed up in some other place, separate from the primary source. This is a better situation than irrecoverable loss, but the data will be unavailable while recovery operations take place. In some cases, not all the data may be recovered. This is a common problem with data restored from nightly backups. Any data created during the day when the primary data was lost is not on the backup tapes and is lost forever.
Finally, while data is unavailable, either permanently or temporarily, applications not directly related to lost data may fail. This is especially true of relational databases that reference other databases. Loss of a central database of customer information, for example, may cause problems with the sales system because it references customer information. A loss of this type can result in cascade failures, in which several applications fail because of their dependence on another application’s data.
RISK TO SALES A company may suffer measurable harm when data loss makes it impossible for it to interact with customers. The result is that the company will not realize sales and revenue.
E-mail has become a primary form of corporate communication. Losing an important e-mail or attachment may mean that a customer may not be serviced correctly; thus, sales are lost. This is especially true of companies that sell capital equipment to other companies. A hard drive crash on the e-mail server may cause an important bid to go undelivered. The salesperson may not even know that the bid was not received by the customers (because it is sitting in the Sent folder stored on a local hard drive) until the sale is lost.
