Lax data security can bring painful consequences.
The University of Victoria made big news in January, but probably not the type it sought.
A mobile storage device stolen from a locked and secured UVic building contained personal data belonging to more than 11,800 people who had received employment income from the university in the past two years. The device contained such key personal information as social insurance numbers and bank account information.
UVic, though, is certainly not alone in the area of losing critical personal data. The Wall Street Journal reports that in 2010, the U.S. Secret Service responded to 761 data breaches. That was way up from only 141 in 2009.
Although larger organizations like Sony and T&T Supermarkets make the news, smaller companies predominantly bear the brunt of IT breaches. Visa estimates that 95 per cent of credit card security breaches occur among its smallest business customers. This tends to make sense, as small enterprises have modest budgets for secure IT storage.
Before you go and hire consultants to help secure your information, the very first step you should take is a thorough review of all the data you store. Then ask yourself if you really need it.
To prevent yourself from becoming a digital version of the “stars” of TV’s Hoarders, do a quick analysis and purge all the data you no longer need. Ex-employees’ personal and banking data can be the first to go. And if you don’t need to keep customers’ names or credit card information for any length of time, don’t. Storing information like this increases your risk with no associated benefit, so have a data retention policy.
Data storage is cheap and hard drives are larger than ever, so it’s easy for organizations to become lax in regard to data disposal. But don’t fall into this trap. The Wall Street Journal reports that in 2010, the average organizational cost of a data breach was $7.2 million and cost companies an average of $214 per compromised record. Thus, if you have stored a lot of data up to now, you may need to do more wiping than the squeegee guy who never seems to leave me alone.
If what I’m saying makes you nervous, here are some steps you can take to protect yourself and the information with which you’ve been entrusted:
{advertisement} Ensure your environment is protected from remote intrusion. At a high level, this means having proper firewalls, intrusion detection, and anti-virus programs. Always patch them and keep them up to date.
Encryption is not optional. Encryption is a process of encoding information in such a secure manner that only those with a key can decode it. It goes without saying, but always monitor exactly who has that key.
Store your secure data on servers in a secure room. Any server room worth its salt has highly restricted access and severely limits who can access devices. This alone would have prevented UVic’s woes, as anyone who has tried to lift a server out of a rack recently would not be referring to it as a “portable storage device.”
Have redundant locations for your data. You can store data on a portable device for continuity purposes, but redundancy is most effective when placing the data on multiple servers geographically dispersed.
Restrict data accessibility to people in your organization who genuinely need it. You’ll get a lot of people thinking they do, but in actuality, as long as those folks have access to the few who need permissions to reach the data, that is all you need and is far more secure. This is especially important as you have to stay on top of any departing staff.
If you accept credit cards, use a Payment Application Data Security Standard compliant payment application. You can find a list of them on the PCI Security Standards Council website at http://bit.ly/M8G4XG/.
If you employ a third party to handle your customers’ credit card data, ensure the supplier is PCI compliant. If you ask them this, and they don’t know what it means, run!
You can never be too vigilant when protecting the information your customers have entrusted you with. If the wrong people are trying to get at your data, make sure your environment is as secure as possible — that way, it’s the bad guys who may very well get schooled.
Doug Caton is a Victoria-based IT manager.
