By Jodi Mardesich
Recent high-profile cases of personal data theft at the Veterans Administration and the YMCA sent waves of concern through IT organizations, as these cases did not involve typical network or system intrusion, but rather simple theft of computers holding member, customer, and employee personal information. In the case of the VA, 26.5 million veterans' names, birth dates, and Social Security numbers were stolen from the home of a data analyst. In another recent event in the news, the theft of a laptop exposed data about members of the Greater Providence YMCA, which includes members in Rhode Island and Massachusetts.
"Attacks on computer security infrastructure are no longer indiscriminate acts of vandalism perpetrated for hacker bragging rights but targeted and organized attacks for identity data and espionage," says Jonathan Penn, principal analyst at Forrester Research. "Companies must adopt a more vigilant and correspondingly sophisticated approach to defending their environments."
A recent survey of technology decision-makers by Forrester found that more than one-third had experienced at least one personal data breach. Of those who did suffer a breach, 46% experienced one or two breaches, 36% experienced three to five breaches, and 18% experienced six or more breaches. Most breaches came in the form of insider attacks, at 39%, followed by crimeware on customers' computers, and hardware theft.
The survey shows that companies put a high priority on shoring up network and system vulnerabilities. But it also uncovered a lack of focus and investment in other areas that protect against the unauthorized access of data, such as the theft of laptops, backup tapes, and paper. Preventing physical thefts ranked lowest, but still high, among priorities, Penn says. Of the types of physical theft, hardware theft was the top priority , followed by backup disk theft and paper theft. Penn says the results were surprising, "given the high-profile cases of backup tape theft in 2005 and the large number of compromised accounts represented in those events."
In the age of laws requiring public notification in the event of a data breach, CIOs need to do everything they can to plug any leaks in the dam in order to protect any personal data the organization collects about employees or customers.
CIOs plan to increase spending on technology to protect against security breaches, but not as much on developing processes to protect data from attackers, either inside or outside the company. The area where spending is expected to increase the most is identity management, which includes authentication and access rights. Improvements in this area would address both internal threats and traditional system weaknesses, Penn says.
"The network perimeter will continue to evaporate, forcing security redesigns around identity," he says. "The old idea of dividing activity into 'inside' and 'outside' the firewall is inadequate. We have the single sign-on and Web services all extending corporate networks far outside of the bounds of corporate facilities. In such an environment, identity becomes the only organizing principal for managing access and delivering services."
Steps to more secure data
CIOs need to go beyond the traditional network and system reinforcements, extending their data security policies to include the theft of physical items, such as laptops, printouts, and backup tapes, and using encryption as a further level of protection. In addition, they should identify risks and educate workers about the less technical forms of data breaches, spelling out policies for protecting such items.
- Securing laptops Since laptops are mobile and small, they're easy to be misplaced or stolen. Knowing who has laptops, and the information they're carrying, is a first step toward protecting them. "Vulnerabilities must be located before they can be managed," says Marti Harris, a Gartner Group analyst. "Knowing who uses which device to do what and knowing where institutional data is stored helps anticipate vulnerabilities." Marti suggests auditing laptops, defining policies on secure usage, managing user access through proper authentication, and regularly scanning for viruses, as an infected laptop can spread malicious code to the network when it's plugged back in.
- Using encryption Encryption uses a code to make data unintelligible to people without a key to decipher it. It's not failsafe, but it adds an extra level of protection, making access much more difficult. "Encryption on both hard disks and tape backups should be an important element of a corporate strategy for personal data protection," Penn says.
- Backup tapes Thieves have stolen backup tapes to glean personal identify information. To protect these tapes, Gartner Group suggests three methods: secure site-to-site electronic transmission; encryption; and secure physical transportation of the tapes. "Tapes should be destroyed after the data is loaded and they are no longer needed," says Gartner analyst Rich Mogull.
- Protecting printouts Anything printed, scanned, or faxed via a printer or multifunction device is a potential target for thieves. Confidential information left unattended at a printer doesn't provide thieves with a huge volume of potential personal data, but it should be safeguarded. Create policies around the proper care and disposal of such information, and enforce those policies, including punishment for those who do not follow them.
- Take an inventory of your risk Collecting such data will prepare you to protect yourself. "It's impossible to make the right security decisions without knowing where successful attacks might come from and how much they would cost," Penn says.
- Educating workers Creating security policies won't have any effect unless workers are educated about them and incentivized to follow them. "Users are the major point of vulnerability, but also your first line of defense," Harris says.
Protecting the personal information of customers and employees requires going beyond the obvious measures of safeguarding it from outsider intrusion, particularly in this era of heightened awareness of data theft. Savvy CIOs must make an extra effort to protect storage devices, laptops, and backup tapes, even as they rely on more traditional network and system protection to secure personal data.
Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon, Slate, and Yoga Journal.