If you ask most IT professionals today about corporate data security, you will get one of two official answers. Either, “We are all set and locked down”. Or, “We are okay, but need to make some improvements”. I would venture to guess there is another answer if people are being candid. “We are lucky nothing worse has happened.”
If you look at desktop or laptop security, most people have anti-virus, anti-malware and anti-spyware software installed. This is more likely in a Windows world than in a Mac or Linux environment. These are the basics that people need to ensure that rogue viruses and malware doesn’t destroy a machine. Unfortunately it doesn’t prevent the hardest thing to control – the uneducated user who accidentally clicks on a malicious attachment in an email or downloads an executable from a website.
Most organizations have firewalls, intrusion detection systems, DMZs and all sorts of technology to keep the bad guys out. On servers, IT people try to keep up with security patches, but this can be a full time job. They setup desktops and laptops to automatically install the latest patches and updates. Of course this doesn’t help if someone takes a document home and works on an unpatched computer. Other data breaches in the news are the results of unpatched applications, SQL servers or web servers. While all this is necessary, most of the problems occur despite these measures.
Many problems occur because of human error. Just recently the Massachusetts Secretary of State’s office accidentally released confidential information of 139,000 investment advisers to IA Week, an investment industry publication. An employee sent the personal information on a CD as part of a request for public information on registered investment companies. Oops! I’m sure that person didn’t intend to copy the wrong information, but it happened.
More and more data breach problems are caused by innocent people who make mistakes. They copy files onto a USB drive and leave it in a coffee shop. They have an important document on their iPhone or Blackberry that gets stolen. They are distracted because they are so busy and accidentally copy the wrong files into an email or onto a CD.
With all the potential problems, organizations need to take a different approach to data and document security. A lot of that starts with simple education. Every person in an organization needs to understand what information is confidential and what isn’t. Confidential information needs to be handled differently than marketing brochures and data sheets. It should be encrypted while sitting in a database or in a file server. Access to it should be controlled. USB drives and similar portable media should be encrypted. Any mobile devices, such as laptops or smart phones, should have data encryption.
While the technology is important, having an understanding of the risks and how to behave is equally important. This boils down to people, process and technology. All the technology in the world won’t help if people aren’t educated on how to use it and if it’s not deployed. The same goes for process. A person should not be allowed access to confidential information without specific processes in place on how to handle it.
In the case of the Massachusetts Secretary of State’s office, simple data encryption and a little training could have saved some problems. They were lucky that IA Week didn’t read the information or use it. Next time, who knows.
Are you secure by accident or by design?
Photo credit molotalk