By Kim Boatman
Reports about off-network security breaches have become almost commonplace:
- A laptop containing sensitive personnel information of Boeing employees -- including 382,000 social security numbers -- is stolen from an employee's car.
- The Connecticut Department of Revenue Services reports the theft of a laptop containing the names and social security numbers of more than 100,000 Connecticut taxpayers. It's among more than two dozen Connecticut state government laptops reported missing in the last 14 months.
- A staggering 28.6 million U.S. veterans and active and reserve members of the armed services find their personal information is at risk after a laptop and computer storage device are stolen from a Veteran's Administration employee's home.
The Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization, reports that more than 165 million data records of U.S. citizens have been jeopardized by security breaches since January 2005. The figure includes breaches of all sorts -- from data stolen from lost laptops to hackers tapping into digital records to files that weren't shredded. But while organizations devote resources to safeguarding their computer networks, they are failing to adequately protect data on off-network devices such as laptops, Blackberrys, PDAs and memory sticks.
Although off-network security threats represent about 70% of all data breaches, an overwhelming number of the 735 IT security practitioners surveyed in a recent think-tank study say their organizations allocate 10% or less of their IT security spending to off-network devices.
The study, conducted by the non-profit Ponemon Institute and commissioned by Redemtech, an IT asset management and recovery services company, finds a disconnect between the risk posed by these devices and how organizations are responding.
"There is a general belief, somehow, in the information security community that you can harden your network and make your enterprise systems more secure by having really good tight perimeter controls,'' says Larry Ponemon, author of the study. "The perception is you are preventing bad guys from getting inside and doing nefarious things."
In the survey, 62% of those interviewed say that off-network controls in their organizations aren't rigorously managed. And of perhaps greatest concern is this: 30% say they wouldn't even be able to detect the theft or loss of an off-network device. The study defines off-network devices as all "data-bearing devices that are disconnected from an organization's system or network for various reasons, such as for relocation, repair or disposition.''
Robert Houghton, president and founder of IT asset recovery firm Redemtech, calls the study, "something of a wake-up call in the sense we've spent a tremendous amount of money and time and effort securing our networks and the data that travels across the networks." Yet, says Houghton, "We're still getting all these data breaches despite our best efforts."
More than anything else, the study finds, off-network data breaches come down to a familiar problem: human fallibility. It's not so much about the technical aspects of IT security but more about "the human factor," says Ponemon. "You can't predict people."
When it comes to technology, laptops are the devices most likely to be involved in the loss of confidential information. According to the study, 69% of participants say laptops were involved in a security breach, while 67% say the breach involved PDAs. Next were flash drives. A surprising number of larger off-network devices were involved, including a mainframe, says Ponemon.
There are clear steps that CIOs and IT organizations should be taking to acknowledge and deal with this risk:
- Control inventory "You have to figure out what's connected to your network and what's not," says Ponemon, who compares it to the work of an air traffic controller. Organizations must establish where all devices are at all times and practice good inventory management. It's really the same sort of age-old situation with which companies have always dealt: keeping track of assets.
- Create a governance strategy The Ponemon study suggests that it's not clear just who is in charge of off-network security in many operations. It should be evident who is responsible for maintaining inventory, implementing security measures and enforcing policy.
- Make sure there is accountability While more than 86% of respondents in the study said their organization had an off-network data security policy, less than 26% reported having a policy that was strictly enforced. The end user needs to know what the consequences will be when a laptop is lost or data is left exposed in some other manner.
- Encrypt Redemtech recommends that everything -- every file, every email -- should be encrypted.
- Know how to dispose of data "You need to have people who are knowledgeable about destroying information,'' says Ponemon.
- Audit "If you don't independently verify that something is done, assume it's not done,'' Ponemon says.
- Consider outsourcing Managing off-network risk involves "the human touch," says Ponemon. It might be more economical to outsource the management to a firm accustomed to this sort of security work.
Too many organizations apparently think this sort of breach either won't happen to them or that the cost will be small or insignificant. But even if a data breach isn't significant, the cost in goodwill from the public can be significant.
"I think a company needs to be sensitive to the fact they don't get a lot of chances to keep their reputation intact,'' Ponemon says.
Kim Boatman is a freelance business journalist in Silicon Valley, Calif. She spent more than 15 years reporting for the San Jose Mercury News.