It’s 8:15 Monday morning. You’ve just poured your first cup of coffee and slid into your well-worn chair, gently settling into a new week. As you sip your coffee, staring expectantly at your slowly booting computer, your phone rings beside you — it’s the IT department. They inform you that the system you’ve been storing your compliance records on has just done a triple backflip and crashed hard. They’re working on it, but it doesn’t look good. It might be a complete loss.

After picking yourself off the floor and cleaning up your spilled coffee, you might wonder aloud, “OK, in this digital age how do safety departments make sure their data is safe?”

The answer is not to expect safety personnel to become technology experts and begin administering their own systems (though as an IT guy I do understand the allure — computers can be awfully exciting!).

Don’t forget the doughnuts

No, what you want to do is meet with the group that maintains the systems your data is stored on. Get a good feel for the technological safeguards that have been put in place. If you run into resistance to your inquiries, offer doughnuts to your service support. IT guys will do anything for doughnuts.

Once you’ve softened them up with sweets, here are important questions to ask about the technologies and processes that they should have in place to protect your data.

Where is the data being stored? Is it a server-class computer with a redundant architecture or simply a glorified PC?

PCs have come a long way over the years, but they are prone to problems and the occasional catastrophic failure.

Server-class machines are built specifically to act as file or application servers and have more robust architectures less likely to experience problems. If your data is being stored on a server-class machine, how reliable is the equipment? Does it have built-in redundancy so the failure of one device (like a power supply or network card) doesn’t render the system inoperable? Is it located in a protected room with fire suppression and environmental controls?

Does the system use RAIDs (Redundant Array of Inexpensive Disks)? In a RAID, your data is written across several different drives so failure of one drive will not result in the loss of your records. Items like spare power supplies or network cards ensure that your systems maintain availability, but a RAID maintains both data availability and integrity. Data availability is important, but it’s usually far more critical for data to be preserved. I think we would all rather risk a system outage — even for a day or two — than risk losing years’ worth of critical data.

Is the data regularly backed up? This is your last line of defense against data loss — the one that you hope you never have to use. In the event of a catastrophic system error or a disaster (fire, tornado, etc.) at your site, having your data safely stored on some type of offline media (tape, CD, etc.) is obviously critical.

Most businesses I’ve worked with have, at a minimum, performed daily backups of all important data and moved their media offsite on a weekly basis.

What security mechanisms are in place to protect systems from hackers, viruses, etc? Here are a few basic safeguards that every company should consider:

  • Too many companies make the mistake of granting virtually unlimited access to company data — assuming the best of their employees. Even if no one were to intentionally delete or alter records (a generally poor assumption to make), employees all too often accidentally overwrite or delete files. Preventing this can be as simple as setting restrictive permissions on files or within applications. For example, don’t grant someone the ability to alter data if all they need to do is look up records.

  • No system should be operated without an anti-virus package that is regularly updated against new attacks. The risk of infection in today’s interconnected world is just too high.

  • The most well-known protection for systems against hackers is a firewall. Firewalls restrict network activity between networks and are absolutely essential — particularly as a buffer between a company’s internal network and the Internet. But firewalls are not a silver bullet against hackers. Systems must be configured to resist remote exploits. This is known as ‘hardening’ a system. Most successful hacker attacks are the result of systems not being hardened against known vulnerabilities in the software that they are running. Ongoing software updates (or “hot fixes”) are absolutely critical.

    Alert ASPs are a must

    If your company uses a third-party application service provider (ASP) to assist with EHS data management and to store related records, make sure the ASP follows best practices for protecting your data. All too many ASPs cut corners on data protection to save costs, putting your data at significant risk.

    If you’ve made it this far, your head is likely spinning from everything that it takes to adequately protect your electronic records. Of course, hopefully when you sit down with your IT group or ASP, you’ll find that they already have their bases covered and you can sleep peacefully, knowing your records are safe and secure. If so, at worst you’ll only be out a box of doughnuts.