On November 3, 2010, the Privacy Rights Clearinghouse updated its Chronology of Data Breaches. Guess how many records have been breached since 2005? 510,841,759. And that's only the reported break-ins.
The report has two more startling statistics:
- 20 percent of the breaches occurred to SMEs that are in nonfinancial-related business, such as retailers and merchants.
- 80 percent of SMEs that experience a data breach either go bankrupt or have severe financial difficulties within two years.
The Federal Trade Commission (FTC) is well aware of this problem and has released the report Protecting Personal Information: A Guide for Business. It starts out by offering some sage advice:
"Safeguarding sensitive data in your files and on your computers is just plain good business."
The paper goes on to suggest using the following principles when developing a data-security plan.
1: Take stock
This may seem obvious; but once you start identifying sensitive information, what it's used for, and where it's stored, there are usually several epiphany moments. It's not uncommon to find an employee who is storing critical data on an unsecured flash drive.
2: Scale down
The next step after locating all sensitive data is to decide what information is needed for running the business. Once that's agreed upon, work to retain only the required data. The FTC reports sums it up this way:
"Keep sensitive data in your system only as long as you have a business reason to have it. Once that business need is
I read countless times in my research, "The fewer copies of data you have, the easier it is to protect."
3: Lock it
Today's networks are nebulous entities with undefined perimeters reaching across the Internet. To totally lock them down is near impossible. That's why experts are suggesting more focus be placed on securing the data than the network. Two suggestions are:
- Isolate sensitive data. Administrators are isolating file and database servers on separate networks and guarding them with strict access controls.
- Encrypt sensitive data. The first suggestion is becoming difficult to accomplish due to demands for mobility. If that is your situation, encrypting the data becomes essential. If management pushes back, explain that many regulations require reporting breaches of unsecured data and that encrypted data is considered secure. Also tell them that the number one cause of data theft is notebooks being stolen or lost.
4: Pitch it
I mentioned earlier that if any sensitive information is no longer needed, it's best to get rid of it. But make sure to take proper measures when disposing of sensitive information, whether it's paper or a digital storage device. Along that note, the FTC report brought up two points that are often overlooked:
- Make sure telecommuters follow the same procedures for disposing of paper documents and electronic equipment.
- Determine whether there are any disposal regulations that the business must abide by. For instance, the FTC has specific rules for the disposal of consumer credit reports.
5: Plan ahead
Remember my saying SMEs that experience a data breach usually go under? Well, those that don't have a plan. For example, trying to determine who to notify either voluntarily or as required by law is a challenge under normal conditions. So in the midst of a breach is not the time to figure out who to call.
Plan ahead and create a data-security policy that fits the needs of the company. The Chronology of Data Breaches Web site has all sorts of good information regarding this, along with links to state and federal resources.
Important extra tipIt's not a well-known fact, but companies outsourcing data storage or business functions are ultimately responsible for any data that has been breached, not the data center or cloud provider. So be careful deciding what to put in the cloud and when vetting service providers.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.