Monday, February 06, 2006
Data Breaches aren't just an IT responsibility
By Frank Hayes at ComputerWorld
The Boston Globe managed to expose as many as 240,000 subscribers to identity theft last week -- no hackers or viruses required. Here's how: The Globe shares a computer system with a sister newspaper in suburban Worcester, Mass., the Telegram & Gazette. On Jan. 29, the Telegram & Gazette sent 9,000 bundles of Sunday papers to retailers and delivery people wrapped in recycled office paper. But some of that recycled paper happened to be printouts that included subscribers' credit card numbers and checking account information.
Is that a creative way of violating customer privacy, or what?
The Globe/Telegram & Gazette snafu followed two incidents in which other companies' customer information was stolen from employees' cars. A thief broke into a car in a suburb of Portland, Ore., and stole backup disks containing information on 365,000 patients of Providence Health System, a West Coast medical group. Another smash-and-grab thief stole a laptop belonging to an employee of Ameriprise Financial that contained unencrypted data on 158,000 customers.
Here's the scary part: In each case except the Ameriprise incident, the information was handled according to standard operating procedures. The recycling was approved. The home-stored backups were SOP. Even the Ameriprise employee was allowed to have the data on a laptop as long as it was encrypted, but the employee failed to follow encryption procedures and was fired for it.
And here's the scarier part: Even though data security is IT's job, this isn't a problem that IT can solve.
Why not? Because non-IT employees really are creative. They're always looking for better, faster, cheaper ways of doing their jobs. That includes reusing paper from discarded printouts. And storing backups off-site at employees' homes. And, of course, taking work home on laptops.
They'll always come up with new ways of exposing data that we haven't thought of. Not on purpose; they're not trying to put customers or the business at risk. But data security and customer privacy just aren't top-of-mind for them. The gap between what concerns us (protecting data) and what they worry about (doing business) is just too great.
What can IT do? We could try to lock down all that data: restrict access, prevent printing, block local storage. Within limits, that's a good approach. After all, how many employees really need long lists of customers' Social Security and credit card numbers? Tagging such information as need-to-know and blocking its use in routine reports is good security practice.
But that's not enough. We also need to get creative. We need to find ways to get employees thinking about data security -- and make it easier for them to keep data secure.
Ask yourself: How easy do you make it for employees to get just the data they need in reports? How easily can they encrypt that data and keep it encrypted every second it's not in immediate use? Is sensitive data clearly marked so confidential reports won't be mistaken for safe-to-recycle office paper? Are outdated practices like employees carrying home backups still being used in some departments?
How often do you talk with employees about data security? Not send e-mail -- talk. And not in general terms, but about how it directly applies to their work processes. How much of that security-talk time is for them to ask questions and make suggestions? How quickly do you follow up so they see results?
In short, how well are you harnessing that non-IT-employee creativity to make data more secure instead of putting it further at risk?
IT can't solve all data security problems. Not today, when so much data is in the hands of employees who need it to do their jobs.
But by getting those employees to make data security a priority -- and then helping them to make it a reality -- we can close that security gap. Our employees will be on our side. Our customers' privacy will be protected.
And we'll be a lot less likely to read about our troubles in the Sunday paper.
The Boston Globe managed to expose as many as 240,000 subscribers to identity theft last week -- no hackers or viruses required. Here's how: The Globe shares a computer system with a sister newspaper in suburban Worcester, Mass., the Telegram & Gazette. On Jan. 29, the Telegram & Gazette sent 9,000 bundles of Sunday papers to retailers and delivery people wrapped in recycled office paper. But some of that recycled paper happened to be printouts that included subscribers' credit card numbers and checking account information.
Is that a creative way of violating customer privacy, or what?
The Globe/Telegram & Gazette snafu followed two incidents in which other companies' customer information was stolen from employees' cars. A thief broke into a car in a suburb of Portland, Ore., and stole backup disks containing information on 365,000 patients of Providence Health System, a West Coast medical group. Another smash-and-grab thief stole a laptop belonging to an employee of Ameriprise Financial that contained unencrypted data on 158,000 customers.
Here's the scary part: In each case except the Ameriprise incident, the information was handled according to standard operating procedures. The recycling was approved. The home-stored backups were SOP. Even the Ameriprise employee was allowed to have the data on a laptop as long as it was encrypted, but the employee failed to follow encryption procedures and was fired for it.
And here's the scarier part: Even though data security is IT's job, this isn't a problem that IT can solve.
Why not? Because non-IT employees really are creative. They're always looking for better, faster, cheaper ways of doing their jobs. That includes reusing paper from discarded printouts. And storing backups off-site at employees' homes. And, of course, taking work home on laptops.
They'll always come up with new ways of exposing data that we haven't thought of. Not on purpose; they're not trying to put customers or the business at risk. But data security and customer privacy just aren't top-of-mind for them. The gap between what concerns us (protecting data) and what they worry about (doing business) is just too great.
What can IT do? We could try to lock down all that data: restrict access, prevent printing, block local storage. Within limits, that's a good approach. After all, how many employees really need long lists of customers' Social Security and credit card numbers? Tagging such information as need-to-know and blocking its use in routine reports is good security practice.
But that's not enough. We also need to get creative. We need to find ways to get employees thinking about data security -- and make it easier for them to keep data secure.
Ask yourself: How easy do you make it for employees to get just the data they need in reports? How easily can they encrypt that data and keep it encrypted every second it's not in immediate use? Is sensitive data clearly marked so confidential reports won't be mistaken for safe-to-recycle office paper? Are outdated practices like employees carrying home backups still being used in some departments?
How often do you talk with employees about data security? Not send e-mail -- talk. And not in general terms, but about how it directly applies to their work processes. How much of that security-talk time is for them to ask questions and make suggestions? How quickly do you follow up so they see results?
In short, how well are you harnessing that non-IT-employee creativity to make data more secure instead of putting it further at risk?
IT can't solve all data security problems. Not today, when so much data is in the hands of employees who need it to do their jobs.
But by getting those employees to make data security a priority -- and then helping them to make it a reality -- we can close that security gap. Our employees will be on our side. Our customers' privacy will be protected.
And we'll be a lot less likely to read about our troubles in the Sunday paper.
# posted by raveneye @ 10:26 PM 
