Tuesday, May 12, 2009

A Culture of Security

I read a lot of technical papers and discussions on methodology of data security, and the philosophy of a security minded culture. A lot of very intelligent people are diligently looking for better and more efficient ways to move data around an enterprise and still maintain a modicum of security. Data is after all the engine that runs modern business. Whether it is described as proprietary information (IP), or developmental operating infrastructure, or a software product, our service-based society is run on data. This intellectual property stuff if compromised, can mean ruining a companies’ ability to maintain a competitive position.

There is even an industry whose whole purpose is to aggregate, sort, re-sort, and sell data. See axciom , choicepoint. or MIB for good examples of that sort of company. These “specialty database” companies have the additional burden of compiling the personally identifiable information of people who are not their clients but instead comprise the very commodity that the business trades in, data.

In my previous career in engineering we were always developing techniques, specialized machines, or circuit designs that would help not only to propel our industry but also to attract customers to our business in particular. Innovation is essential to any industry. Maintaining the security or even secrecy of those innovations is paramount. In order to do that everyone involved must be clear on the concept. Unfortunately when I talk to people in the IT or IS fields protecting trade secrets is usually the kind of data protection that comes to mind. Now and again I meet IT pros, especially in accounting, financial advisory or mortgage firms, who are aware of the importance of protecting the clients personal files. Technical managers are by in large vaguely aware that personnel information is also at stake but that concept is usually rather abstract to them. They are more focused on the throughput of data, encryption algorithms, and the models that contain sufficient justified loops that will safeguard company data files from inadvertent loss or hacked from outside source, while being highly efficient and serving the enterprise more effectively. When I illustrate a case of an unhappy employee that has walked out of the building with the HR employee records on a flash drive to sell it at the local flea market, eyes will glaze over. That doesn’t compute in a technically focused infrastructure. Short of freezing everyone out of the records access there is no working model that will prevent that from occurring. And that is the point. Information that has value, to anyone, can and will be stolen and misused for personal gain. The solutions cannot be simply technical, but instead have to include employee training and awareness. That is why the recommendations within every federal identity theft prevention law include employee training.

It is also critical that companies understand that just as a loss of intellectual property can cripple a company so can the loss of personal information. In fact the loss of personal information has far reaching consequences that extend beyond the incident, and into the realm of public perception. When a company loses the confidence of the general public whether deserved or not, it becomes harder to maintain customers, attract new ones, operating capital is harder to get, and so forth. People believe that when a business is entrusted with their personal information that the company has a moral responsibility as well as a legal one to make every effort to protect it from thieves or accidental leaks.

Its just as important to trust certain employees as it is to have technical safeguards in place. Any culture of security has to have a balance of common sense, technical procedures, and individual education and training. Treat your employees with respect by educating them on the realities of what identity theft can do to a person. With an average of 10 million U.S. victims annually there is no shortage of real life stories of individual ruin from identity theft. If a business can manage to do that kind of training alone then the employees gain a knowledge to not only protect themselves and their families but also an insight and incentive to safeguard the personal information they handle on a daily basis at work. A business must sensibly bring the employees into the solution for data loss by training and education. An informed and empowered employee can very well be the best asset a company can have in stemming the tide of data losses of any kind within the enterprise. I’m sure your employees know what to do in the event of fire, but do they know what to do if they discover that information has been stolen or compromised? That critical path alone can make the difference in whether an attacker gets away with valuable information from your company or not. Don’t rely on the TV ads promising to “stop identity theft before it happens”, or other wild claims to train your staff. Thats kind of like relying on the teenagers in the neighborhood to teach the children about love and relationships, hardly what you want them to learn. Those ads are misleading and have little to do with the realities of identity theft in the every day world.

Monday, May 11, 2009

Data Leak Reveals Massive Security Problems

As I have said many times in this column I rarely write about specific instances of data theft or hacking into large servers at big organizations. The reason is simple, these incidents are so ubiquitous that they lose their impact. Recently U.C. Berkeley revealed that they have been hacked for a number of months to the tune of about 160,000 records. As stunning a revelation as that is I’m not going to comment on that at length. If you want to learn more about that go to http://www.mercurynews.com/.

What I think is more relevant to businesses today is this story.

NetworkWorld brings us inside the data leakage audit of a Boston-based pharmaceutical firm. During the 15-day review, auditors examined outbound e-mail, FTP and Web communications, revealing 11,000 potential leaks, more than 700 critical information leaks and violations of Payment Card Industry and other security standards. Among the "worst leaks:" confidential zip files and attachments sent by e-mail to an outside vendor; unencrypted e-mailing of a clinical study to an outside vendor; the mailing of employee compensation data to an outside company. "We thought we were in good shape..." said the company's CIO. "This just goes to show you can do all that and it's just not enough."

It is this kind of thing that business owners and executives need to read regarding identity theft compliance issues. I have never visited a business regardless of the industry they serve that does not need improvements in the way they handle sensitive documents, or personally indentifiable information of employees or customers. Even the best among companies who believe they are doing everything possible are at increased risk. As long as data has value it will be stolen or used for illicit purposes. Illegal data sale and identity theft are two very profitable kinds of crime with little chance of prosecution. I’ve mentioned before that the U.S. Secret Service, the agency charged with investigating identity theft crimes has gone on record saying that identity theft has surpassed the international drug trade as the most profitable crime in the world.
Every business no matter how large or small needs to accept that risk exists and initiate an identity theft compliance program appropriate to their business. It will only serve to increase the security of information in the company, and to lower the risk of a data leak or worse, identity theft resulting from personal information taken from the company.