By Dr. Jim Kennedy
All too frequently in the last few years the public has been subjected to the news that yet another company has suffered a data breach. That private or sensitive information about individuals has been lost or stolen. These are not mom-and-pop shops or small businesses they are major corporations, well known institutions and high level governmental organizations. The breaches involve millions of customer files, or thousands of medical records, or critical intellectual property that has either been taken for fraudulent use or simply lost and no one in authority can account for their whereabouts.
At least 43 US states, the District of Columbia and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information when they happen. Yet in a recent survey as many as 10 percent of the five-hundred companies queried did not even know if they had lost data due to laptop theft in the last year and only a handful could with some certainty indicate that they absolutely had not. This is because all too many companies do not have a really good understanding of what data they have, where it resides and how it moves within their organization.
When a data loss or theft occurs many innocent people are forced into that personal nightmare of finding that their credit or debit cards are being improperly used or that their personal information is being fraudulently misused. Many do not even realize that if they are debit card holders that they have to take immediate action to notify their card companies in order to limit their personal financial liabilities.
In other cases the breached companies themselves find that suddenly their competitive position is being compromised. That critical information (taken either directly from their corporate computers or from stolen or lost backup tapes and laptops) about customers, secret processes, or financial data is now being used by competing companies against them.
These companies will then spend hundreds of thousands or even millions of dollars to provide credit fraud and identity theft protection for each person compromised while crafting a most apologetic communication for the press and the public at large. Monies that could and should have been better spent to protect from such losses occurring in the first place.
There are two important factors that seem to be exacerbating the problem:
• There is an increasing threat of data thefts and losses occurring from inside the organizations where the data resides.
• The increasing use and availability of portable USB memory sticks, external, and flash drives.
What is most interesting is that today’s companies, hospital and healthcare organizations, and government agencies have access to the technology to virtually eliminate the potential misuse of lost or stolen data. They know it exists. However, in a survey taken recently by a well respected public and private sector security organization, less than half of the respondents had utilized hardware or software technology to protect their organizations and their constituents from the results of a data loss or theft.
Simple data encryption technology would remedy the majority of the cases reported of lost or stolen data from such occurrences as:
• Lost laptop
• Lost backup tapes
• Data in transit being viewed from the network (Internet or intranet)
So if more organizations simply encrypted their data a majority of the problems could be eliminated.
So why don’t they encrypt data? Many corporations are concerned that if they were to loose encryption keys that critical information might be lost forever. So in the grander scheme of things it is easier to pay for the loss than to develop better encryption key management and administration. Others simply don’t want to add any additional assumed complexity to their operations.
There is a wide range of software available today that is available from numerous sources and at varying costs that can protect against data theft in the case of a lost or stolen laptop. This software when installed in a laptop will automatically notify its owners whenever it connects to the Internet. The software on the laptop will look for any identifiable information such as IP address and other data about where the device is connected. That information is then transmitted once the laptop is connected to a wired or wireless network. Administrators can, armed with this information (and with the aid of proper authorities), track down the device and potentially recover it. Other software can automatically encrypt or lock access to storage if a lost laptop is not connected to a recognizable network in a predefined period of time.
Still other types of protection software can be installed on computers and will disable the use of mass storage devices connected to computer USB ports. When such a device is connected to the USB port an alert is sent immediately to a security e-mail location notifying administrators and then the offending port is automatically deactivated internally thereby disallowing the taking of any information from the computing device unless the protection mechanism is deactivated by a systems administrator with proper authority. This also protects malware from being introduced into the computer as well.
Now this article has only scratched the surface and provided information on a few types of technology available to protect against data loss and theft. However, the intent of this article was to inform the reader that there are many ways to reduce and/or eliminate data loss and theft of the types experienced over the last few years and publicized in the press. The issue the article wants to impress upon the reader is one of due diligence. We as corporate or governmental IT security or business continuity experts need to make sure that our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information. To allow them to decide between implementing adequate controls and safeguards now to protect against risks or to potentially pay later in reparations and lost confidence of those whose data they (senior management) have been entrusted to protect but have lost or allowed to be taken.
Dr. Jim Kennedy , MRP, MBCI, CBRM, CHS-IV has a PhD in Technology and Operations Management and is the Business Continuity Services Practice lead and principal consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. email@example.com
•Date: 11th June 2008• Region: US/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here