It’s 2012. Do you know where your data is, who has access to it and what they are doing with it?
These are 3 fundamental questions that every organization should ask, because most people can’t answer all of them. You know you have data in databases. Most financial and customer data sits there and is hopefully protected by encryption. If you aren’t sure, you better check. But a lot of that data makes its way into spreadsheets, customer proposals, quotes, reports and numerous other documents. Do you know where all of them are and who is accessing them?
Data breaches seem to be in the headlines almost every day. Just do a Google search on “data breach” and you will get more than 29 million hits. Do a search on News stories in the last month and you will get over 2400. Here are a few interesting stats from 2011 according to the Verizon 2012 Data Breach Investigations Report. The report reviewed 855 confirmed security breaches that affected 174 million compromised records in 36 countries. This is the largest number of breaches ever reported. In all likelihood there were probably more that went unreported or discovered.
Just this week the Florida Department of Children and Families notified 100,000 child care workers that their personal information may have been compromised. It was stored online, but it wasn’t password protected, and low and behold, someone found it and stole it. That’s like waving a sign in front of a bank vault and saying “Come in, please grab your free money”.
No one should store personally identifiable information (PII) online so that anyone can find it with a simple Google search. Passwords are about the most basic form of security we have and at a minimum the information should be password protected. Why was it online at all? PII is sensitive and should be tucked away behind a lot of security. This incident points to issues about data retention, basic security and a lack of training.
Organizations need to understand a few things about their data.
- The data they collect includes some form of PII or other sensitive information
- If a business collects data it will experience a data loss incident at some point
- Data security is everyone’s concern
Most organizations believe that collecting as much information about their customers is very important to their business. They can do better marketing and they need customer information to process orders. This is true to a point. There is a key rule of thumb when it comes to collecting data. You can’t lose it if you don’t have it. This may sound overly simplistic, but think about it. Do you really need a customer’s social security number to process an order or market to them?
When it comes to customer information, keep the data that provides you with a competitive advantage and get rid of the rest. Keeping names, email addresses, industry and similar demographics is adequate for marketing. A better approach is to aggregate data to find patterns, not worry about an individual. Keeping aggregated data and discarding PII reduces your risk of a severe data breach. That may not always be possible, especially if you are in the healthcare or financial services industries. In those cases, you need to understand what you have and who has access to it.
This comes down to data classification and employee training. Every organization needs to define sensitive and confidential data. Where is it, how do you store it and who can access it? If your business requires collecting a social security or national identification number, access to that should be limited. You should keep it separate from other basic information, like name and address.
Next you need to provide employees with privacy and data security training. You should teach people about data collection processes, retention policies, safe handling and sharing of confidential and sensitive information. This also includes the importance of unique strong passwords and safe computing practices. And this is not a one time event, but an ongoing process. Part of the training should be what to do in the event of a data breach. Just like you teach people how to respond to a fire or burglary, they need to understand what to do if there is a data breach.
It’s very important to understand the information in your organization, where it is, how sensitive it is and who can access it. Is it in the cloud, on people’s desktops, in your web server? Many of the data breaches in the past year were caused by sloppy security, like default passwords or no passwords. It’s true that IT is responsible for server and firewall security, but everyone in your organization is responsible for information they touch. Using “password” as a password is still very common. Teach employees how to identify sensitive information and how to handle it properly.
Look at what you are collecting on a regular basis. If it’s PII and you need to keep it, make sure access is limited and the information is encrypted. If you don’t need it, get rid of it. Imagine the look on a criminal’s face if they get into your secured environment and find it’s empty. It’s like opening a safe and finding nothing. Now that’s good security.
Photo credit Arenamontanus