Today is Tax Day in the United States, although this year we have a reprieve until April 18, because of Emancipation Day celebrated in the District of Columbia. Taxes go to many things, just as revenue dollars do in businesses. They help pay for roads, bridges, national defense, police, firefighters, and a million other things. Unfortunately, there seems to be a lack of funds going toward protecting people’s personal data.
Just in the last few weeks there have been a large number of data breaches from the US federal and state governments. The issues with all these incidents are the same. Your and my personal information is not adequately protected, but the reasons are not the same. Some were database hacks, some were lost or stolen PCs and many were negligent behavior. Whether the negligence came out of ignorance or a lack of following process and procedure is irrelevant. The outcomes were the same.
Here is a sampling of government data breaches in the last few weeks:
- IRS hit with theft of nonprofits’ Identities
- SSA exposed SSNs, names, birth dates for 36,000 people
- Texas data breach exposed 3.5 million records
- Oklahoma State Department of Health has laptop stolen with 133,000 medical records
- Veterans’ personal data exposed by an employee at a VA medical center
And of course this doesn’t even count the large data breaches last year when US Army Private Bradley Manning stole US Department of Defense and US State Department documents and sent them to Wikileaks.
Add to this a rash of large data breaches from the private sector:
- Epsilon Data Management has millions of records hacked
- US Airways employee leaks data on 3,500 pilots
- Hyundai leaks information of 420,000 customers
- Saint Francis Health System had a PC stolen with personal information of 84,000 patients
- BP lost a laptop with names of thousands of oil spill victims
None of the stolen information was encrypted, which is the easiest thing to address. Encrypting data on a laptop is a must for any organization with sensitive information. Using a persistent security policy on internal documents, like those at US Airways, would have allowed the company to kill the document as soon as they found it missing. All major databases have built in ways of encrypting data. Developers need to do this when designing any system that contains sensitive information.
While technology is important to protecting data, the lack of security awareness in handling sensitive information is another problem. In the case of BP, someone lost their laptop that contained sensitive information on thousands of Gulf Coast oil spill victims. In the case of the VA medical center, an employee inadvertently threw away paper documents with sensitive information. These people were either not adequately trained on security, or they were negligent is applying what they learned.
Governments and the private sector spend millions of dollars on perimeter and infrastructure security, but very little on protecting their data and content. Spending money protecting the IT infrastructure is important. We all need perimeter defenses, like firewalls, server protection, like access control lists, and desktop/laptop protection, like anti-virus software. But we need to protect the last mile, which is the data. If we don’t, all these data breaches will continue. That protection involves people, process and technology. The greatest technology in the world won’t work if people don’t use it. Using my old analogy, if you forget to set the alarm, the greatest security system in the world is useless.
Take a look at your IT budget and see how much you are spending on protecting your content. That includes training your people on information security. And while you are at it, ask your government the same question. It may be a lot lower than you think.
Photo credit stevendepolo