Data Security By Accident

plug and pray If you ask most IT professionals today about corporate data security, you will get one of two official answers.  Either, “We are all set and locked down”.  Or, “We are okay, but need to make some improvements”.  I would venture to guess there is another answer if people are being candid.  “We are lucky nothing worse has happened.”

If you look at desktop or laptop security, most people have anti-virus, anti-malware and anti-spyware software installed.  This is more likely in a Windows world than in a Mac or Linux environment.  These are the basics that people need to ensure that rogue viruses and malware doesn’t destroy a machine.  Unfortunately it doesn’t prevent the hardest thing to control – the uneducated user who accidentally clicks on a malicious attachment in an email or downloads an executable from a website.

Most organizations have firewalls, intrusion detection systems, DMZs and all sorts of technology to keep the bad guys out.  On servers, IT people try to keep up with security patches, but this can be a full time job.  They setup desktops and laptops to automatically install the latest patches and updates.  Of course this doesn’t help if someone takes a document home and works on an unpatched computer.  Other data breaches in the news are the results of unpatched applications, SQL servers or web servers.  While all this is necessary, most of the problems occur despite these measures. 

Many problems occur because of human error.  Just recently the Massachusetts Secretary of State’s office accidentally released confidential information of 139,000 investment advisers to IA Week, an investment industry publication.  An employee sent the personal information on a CD as part of a request for public information on registered investment companies.  Oops!  I’m sure that person didn’t intend to copy the wrong information, but it happened. 

More and more data breach problems are caused by innocent people who make mistakes.  They copy files onto a USB drive and leave it in a coffee shop.  They have an important document on their iPhone or Blackberry that gets stolen.  They are distracted because they are so busy and accidentally copy the wrong files into an email or onto a CD. 

With all the potential problems, organizations need to take a different approach to data and document security.  A lot of that starts with simple education.  Every person in an organization needs to understand what information is confidential and what isn’t.  Confidential information needs to be handled differently than marketing brochures and data sheets.  It should be encrypted while sitting in a database or in a file server.  Access to it should be controlled.  USB drives and similar portable media should be encrypted.  Any mobile devices, such as laptops or smart phones, should have data encryption. 

While the technology is important, having an understanding of the risks and how to behave is equally important.  This boils down to people, process and technology.  All the technology in the world won’t help if people aren’t educated on how to use it and if it’s not deployed.  The same goes for process.  A person should not be allowed access to confidential information without specific processes in place on how to handle it. 

In the case of the Massachusetts Secretary of State’s office, simple data encryption and a little training could have saved some problems.  They were lucky that IA Week didn’t read the information or use it.  Next time, who knows.

Are you secure by accident or by design?

 

Photo credit molotalk

Comments 2

  1. Great article Ron! I've been preaching the same message to my clients. A solid education and awareness program can progressively improve overall information security awareness within an organization, whereby reducing legal risk.

    Unfortunately, education and awareness is a slow process and doesnt yield quick and tangible benefits as technology does. Technology has historically been more apealing and a 'sexier' solution; however, most folks also find that technology is not a silver-bullet solution, and cannot replace the foundational steps that need to be in place to provide for a solid framework for information security.

    My recommendation is to address the building blocks for information security and data security (yes there is a difference) first, with oversight by senior management, by doing the following:

    1) Enhance policies and standards to cover information protection and privacy best practices.
    2) Seperate IT security policies from acceptable use policies; and educate business users accordingly
    3) Provide tailored and continous education and awareness to address recent threats and vulnerabilities
    4) Inventory all structured and unstructured data with knowlege of where sensitive information resides
    5) classify your information based upon criticality and sensitivity to the business.

    Aaron Momin
    http://www.firstclassify.com

  2. Aaron,

    Thanks for the comments and the great list. I agree that education is a long process and that technology is always sexy. We send our kids to at least 12 years of schooling and they still need more to become productive and responsible citizens. Owning a laptop and an iPad doesn't do it.

    How do you distinguish between information security and data security?

Leave a Reply