The Cost of Data Loss: Unpacking System Vulnerabilities and Mitigation Strategies
By Thomas Hamata and Job Angula
In the wake of digital transformations, data has become one of the most critical assets for businesses. Yet, its effective management is often filled with challenges, leading to significant losses that can cripple operations.
One well-documented case of significant data loss occurred in 2017 when GitLab, an online service that helps software developers manage their projects, experienced a significant data incident. During routine maintenance, an IT administrator mistakenly deleted a crucial part of their system on the wrong computer server. This mistake resulted in the loss of 300 GB of critical data, including important project information that could not be fully restored because their backup systems also failed to work correctly.
Over the past few months, our discussions with various local audit and risk executives have highlighted a recurring theme: data loss is posing a significant and persistent threat to the continuity of business operations and the integrity of data for many organisations right here at home. These executives have emphasised the serious implications of such incidents, underscoring the need for robust measures to safeguard data effectively.
Understanding data loss and its risks
Data loss refers to the unforeseen loss of critical information due to various factors ranging from technical malfunctions to malicious attacks. The repercussions of such incidents extend beyond mere operational disruptions; they also entail substantial reputational damage, regulatory complications, and severe financial losses. For instance, the loss of debtor records can disrupt cash flow, impair debt recovery processes, and complicate financial reporting, potentially leading to severe compliance issues and financial instability. The nature and severity of these impacts often vary depending on the type of data involved and the specific systems affected.
Common causes and underlying issues
The root causes of data loss are manifold but frequently include human errors such as accidental deletions, system failures, and increasingly, sophisticated cyber-attacks like ransomware. However, these factors are often symptoms of deeper systemic issues within an organisation's IT general controls (ITGCs). In many cases, inadequate ITGCs—such as weak access controls, insufficient change management procedures, and the lack of robust data backup strategies—are the real culprits that expose businesses to data loss risks. These control lapses create vulnerabilities that can be exploited easily, pointing to a critical need for strengthening these foundational controls.
Short-term fixes vs. long-term solutions
Faced with the immediate aftermath of data loss, many organisations turn to digital forensics as a quick fix to recover lost data. While digital forensics can be effective in retrieving lost information and tracing the source of a breach, it does not address the underlying weaknesses in ITGCs that allowed the breach to occur in the first place. Specifically, ITGCs such as:
robust backup protocols ensure data can be restored to a pre-loss state, minimising operational disruption;
strong access controls prevent unauthorised users from accessing sensitive data, reducing the risk of both accidental and malicious data deletions, while;
effective change management ensures that system updates and changes are conducted securely and do not inadvertently open up new vulnerabilities.
Without a comprehensive overhaul of these controls, organisations are likely to face repeated incidents, leading to a cycle of loss and recovery that does little to fortify the business against future threats. Strong ITGCs help organisations build a more resilient infrastructure that both mitigates the risks of data loss and also aligns with best practices for data protection and compliance.
The discussions and incidents highlighted in recent weeks underscore the critical need for robust ITGCs as the cornerstone of effective data management and protection strategies. By moving beyond mere compliance to fully integrating strong general controls into all levels of IT operations, organisations can not only mitigate the risks of data loss but also enhance their overall resilience and reliability. As businesses continue to navigate the complexities of the digital landscape, the focus must shift from reactive solutions to proactive safeguarding measures that secure both data and the future of the business.
