• Exhibitor space

  • Visitor badge

  • Exhibitor List

  • Industrie infos

  • Trophées

  • facebook

  • Twitter

Back to list

Safety and database

Winter is over and business activities are resuming at  high speed. SMEs are focused on production and profit and often disregard database safety. Here are a few tips and advices, given by Jocelyn BOUILHOL, from the « Espace Numérique Entreprises »  Association, who promotes the SI PME system (designed to help all businesses to develop their information systems).  

 

Database systems safety for SMEs

The PRISM Scandal at the NSAa has exposed a chocking economical database traffic publicly, and generated a lot of questions around sensitive data safety. Company directors are in charge of taking the necessary dispositions to prevent the many risks that have been brought to their knowledge.

But the most worrying issue is how to protect the clients' data that are contained in your systems ? In the event of any incident or information leak, you might be held responsible by your clients. At INDUSTRIE, you will find a few tips and solutions that might come in handy to enhance the safety of your database. 

 

Safety Audit

This audit is recommended to analyse all the elements of your information system. Just a technical analysis isn't enough indeed, and one must also analyse their operating process overall, as well as the awareness of their employees towards this particular issue : taking part in the social networks and using mobile devices (tablets, laptops...) are as many new practices to take into account.  

As a consequence to this study, a matrix of all the malfunctions and risks is realised, and will define the necessary actions and corrections to be put in place.

Essential points of the safety of the information system.

The core element of this safety is a properly set-up firewall, but the overall safety policy for the information system is only enhanced by the realisation of a BCP ( Business continuity plan). This plan is based on the following preventive approach : if an incident was to happen to one's business, which solutions do we have to continue working despite the issue ? This BCP also includes a recovery package that lists the important measure one must take after a bad incident that would have completely blocked all digital tools. This recovery process involves regular backups following an accurate planning as well as the steps to follow to restart the system.

Another efficient solution is to keep writing down an IT charter for the attention of all the workforce of the company, including the directions. This charter includes a detailed list of directions to use the IT systems and what the employees are/aren't allowed to do with the tools at hand. All these preventive measures are limited of course, as they isn't a “zero-risk” situation without blocking the whole system. It is hence very important to estimate the best safety level that keeps the system simple and user-friendly but still safe enough. Beware then not to shut down all accesses, as a company isn't a fortress. It is about taking calculated risks.

It is necessary to keep an organised database in all businesses. The data is divided between the “white data” (70 to 80% of the information produced by the company, but that isn't major), “grey data” (the current projects), “black data” (5% of the company's data : client files, innovations and information on new products). By focusing the safety process on these 5%, most of the risks are avoided.

Finally, it is important to remember that a SME that deals in sub-contracting has a client-base of decision makers. If a malicious person wanted to access their data, the weak spot in that chain of information could be the SME itself. This emphasizes on the necessity of a joint effort to enhance the digital security, for oneself and one's client together !

 

How to find useful tips ?

Most people tend to ask the Chamber of Commerce and Industry, that have their own economical intelligence systems. This label regroups all the necessary measures to handle the digital database of a company efficiently (defensively or offensively). Professional organisations as well as company unions also offer this type of services. The police stations and the Central Directorate of Internal Intelligence also can be of precious help in case of a digital attack. As well, there are many training classes available that cover all of these questions, and audits or digital charter can be realised in addition to this . In the Rhone Alpes region of France, the Espace Numerique Entreprise (Digital Space for Companies) does organise this type of support scheme, which is partly financed by the public authorities.

 

A SMI can apply the basic safety rules to protect itself, such as a weekly backup on an external drive (which shouldn't be kept next to the main fixed drive !). For example, a SMI was the target of an internal sabotage action that deleted all the contacts lists from their computer base. Regular backup measures would limit the consequences of such disagreements. If there hadn't been any preventive measure in use  at the time, this data could still be recovered but at a pricey cost.

When one has experienced such issue issues, considering the necessary investments (tools and training courses) to prevent any such event becomes a lot easier. If you have avoided this so far, the time as come to protect yourself !

 

For more information : ENE (Lyon) 04 37 64 46 10 - www.ene.fr and the French Chamber of Commerce network.

Guide de la bonne hygiène informatique ( “Guide for a good digital hygiene”) edited by the  l’ANSSI (FNISA, French Network and Information Security Agency )  : http://www.ssi.gouv.fr/IMG/pdf/guide_hygiene_informatique_anssi.pdf