Earlier this week I was catching up on my email when I came across something that surprised me. I opened an email from a former colleague and attached to it was a spreadsheet titled 3 Year Strategic Plan. Well you can imagine my surprise. My first reaction was this must be a mistake. Since I know the person, I called and asked him if he meant to send this to me. He was shocked and almost panicked. He explained that he sent this to a number of internal people and I should never have gotten it. He concluded that I was in his address book and when he typed R, my name came up. He had a long list of recipients and didn’t look carefully at who was on the To: line.
Another day, another data breach at a university. Eastern Washington University discovered this week that more than 130,000 current and former students may have had their personal information stolen by a hacker sometime in the past year. This is just the latest in a string of universities that were attacked. The scary thing is that the universities are not sure when the breach happened.
Officials think that people are targeting research universities because there is a lot of sensitive, hence profitable, information available. Are these related, are they insiders, are they coordinated? No one knows or would talk if they knew. If this continues, higher education and students could be severely compromised.
Hopefully you won’t have to answer this question, but more than likely you will. The headlines are full of stolen documents or hacked databases, but most of the data breaches never see the light of day. Why not? Because no one wants to talk about their failures and vulnerabilities. If I tell you that your confidential information is now making its way around the Internet, you will lose confidence in me. You might go to my competitor or tell your friends to avoid my company. None of these sound good.
So what do you do?
Did you ever hit the send button for email and do an “oh s**t”? Talk about embarrassing. It’s bad enough if you send it to the wrong person internally. Sending it to someone outside your organization can be more than embarrassing. It could cost you money, reputation and a law suit.
One of the big culprits is the type-ahead feature of email programs that help you fill in email addresses as you type. This makes it easy to address an email to frequent recipients. You can type the first few letters of a name or address and the program shows you a list of choices. This works with Microsoft Outlook, Lotus Notes, Gmail, Yahoo mail, Microsoft Hotmail, you name it.
Some email programs have a callback feature to retrieve a sent email before it is read. I call this the Oops feature, but it rarely works. Once you hit the Send button, you are committed.
The recent inadvertent release of a secret TSA manual on a government website shows a breakdown in security procedures by the US Department of Homeland Security. According to the agency, this was an outdated, unclassified version of a Standard Operating Procedures manual. They said it was never implemented and there is no cause for concern. According toinformation from a senate hearing, every page of the document said unauthorized release of this information could result in civil penalties. Senator Susan Collins of Maine commented that the manual shows exactly the documents needed to get relaxed screening at a TSA checkpoint in an airport. Seems like a security breach to me and this is one organization that you would assume should know security. So what went wrong?
The 2008/09 annual report of the Independent Safeguarding Authority (ISA) revealed a lapse in email security. People in the organization sent confidential information to the wrong email recipient. The ISA was set up in the UK to prevent unsuitable people from working with children and vulnerable adults. An investigation concluded that human error was at fault. The ISA has plans to address IT disasters, but is still working on business continuity plans to cover issues like this.
Has this happened to you? I copied a document from my laptop to a flash drive so I could give it to a colleague. She copied the document and handed it back to me. I put it in my laptop bag where I always keep my hoard of flash drives. My son grabbed one so he could take his presentation to school. You can see where this is going. He took the flash drive to school and copied its contents onto a class laptop for his presentation. Low and behold he copied my document and yes, there was confidential information in it.
Insider threats continue to represent a major concern for all size organizations.
I recently met with a company that was responding to a major RFP. The company uses a Content Management System and has developed strict procedures to ensure the confidentiality of their files. Unfortunately, one of the staff members that worked on the RFP had an acquaintance who worked for the competition. The employee saved the file to a thumb drive and emailed it to his friend at the competition. That person used the information to under bid the other company and ultimately won the business. Eventually, the theft was uncovered, the individuals involved were fired and the RFP was cancelled. There is no way to determine the cost of litigation, but it is safe to assume that legal costs and fines will exceed a $1 million.
Most of us use wireless networks at home and when we travel. The other day I was sitting in an airport waiting on my late flight (that of course never happens), and I fired up my laptop to get at a few emails over the local Wi-Fi hotspot. I was responding to a few items and sent a couple of spreadsheets and documents.
I sent a proposal to a colleague for input before sending it to a customer. The document had pricing and other confidential information in it. Since I was on an open wireless network, a hacker with a Pringles can as an antenna could steal my file. Talk about scary. If I log into my company through a VPN that encrypts my traffic, I should be safe. I was using GMail, so I may be compromised.
Have you ever sent a confidential e-mail to one or more people only to find out that the e-mail was sent to someone that should not be on the distribution list? One small mistake like this can have a devastating impact on your business! Just ask Rocky Mountain Bank what it will cost them, because there was no way for them to disable an Excel spreadsheet and other documents that were sent out in error.