Pay Me Later Security

Pay Me Later SecurityToday is Tax Day in the United States, although this year we have a reprieve until April 18, because of Emancipation Day celebrated in the District of Columbia.  Taxes go to many things, just as revenue dollars do in businesses.  They help pay for roads, bridges, national defense, police, firefighters, and a million other things.  Unfortunately, there seems to be a lack of funds going toward protecting people’s personal data.

Just in the last few weeks there have been a large number of data breaches from the US federal and state governments.  The issues with all these incidents are the same.  Your and my personal information is not adequately protected, but the reasons are not the same.  Some were database hacks, some were lost or stolen PCs and many were negligent behavior.  Whether the negligence came out of ignorance or a lack of following process and procedure is irrelevant.  The outcomes were the same. 

Here is a sampling of government data breaches in the last few weeks:

And of course this doesn’t even count the large data breaches last year when US Army Private Bradley Manning stole US Department of Defense and US State Department documents and sent them to Wikileaks.

Add to this a rash of large data breaches from the private sector:


None of the stolen information was encrypted, which is the easiest thing to address.  Encrypting data on a laptop is a must for any organization with sensitive information.  Using a persistent security policy on internal documents, like those at US Airways, would have allowed the company to kill the document as soon as they found it missing.  All major databases have built in ways of encrypting data.  Developers need to do this when designing any system that contains sensitive information.

While technology is important to protecting data, the lack of security awareness in handling sensitive information is another problem.  In the case of BP, someone lost their laptop that contained sensitive information on thousands of Gulf Coast oil spill victims.  In the case of the VA medical center, an employee inadvertently threw away paper documents with sensitive information.  These people were either not adequately trained on security, or they were negligent is applying what they learned.

Governments and the private sector spend millions of dollars on perimeter and infrastructure security, but very little on protecting their data and content.  Spending money protecting the IT infrastructure is important.  We all need perimeter defenses, like firewalls, server protection, like access control lists, and desktop/laptop protection, like anti-virus software.  But we need to protect the last mile, which is the data.  If we don’t, all these data breaches will continue.  That protection involves people, process and technology.  The greatest technology in the world won’t work if people don’t use it.  Using my old analogy, if you forget to set the alarm, the greatest security system in the world is useless.

Take a look at your IT budget and see how much you are spending on protecting your content.  That includes training your people on information security.  And while you are at it, ask your government the same question.  It may be a lot lower than you think. 


Photo credit stevendepolo

Book a meeting