In late 2018, a database error exposed the personal information of nearly one million patients at University of Washington Medicine. The problem was discovered when a patient Googled their own name and stumbled across a file with the information.
Data breaches are not unique to the University of Washington Medicine (UW). In 2018, US companies experienced 12,449 data breaches, a 424% increase over 2017.
SEE: Information security policy template download (Tech Pro Research)
In UW Medicine’s case, the breach was due to an internal human error that occurred when data was moved from one server to another.
“We have seen a large number of breaches and failures due to human error, and it’s time for it to stop,” said Robert Reeves, Co-founder and CTO of Datical, which provides database release automation solutions.
“When GitLab’s production database went down, the company took three days to restore it, and users were unable to fully manage their source code,” Reeves continued. “The AWS S3 outage was caused by a manual typing error, which brought down several websites that relied on S3. Of course, the most widely known data breach was Equifax, where they didn’t patch Apache Struts, due to no automation for application release and updates.”
Preventing human error
So what lessons were learned from these security breaches?
“Humans often overestimate their abilities and make mistakes,” said Reeves. “Or, even worse, they underestimate the abilities of database professionals and decide there is no need for them.”
Reeves emphasized the need to automate security and system standards so that the potential for human error is eliminated from the process. “This is especially important for companies that handle personally identifiable information (PII), or any type of sensitive data,” he said. “The bottom line is: Do not put it on the Internet if you have not automated every aspect of the system.”
SEE: Disaster recovery and business continuity plan (Tech Pro Research)
No easy fix
As simple as this sounds, automation isn’t easy.
IT’s project priorities often outpace infrastructure improvements in corporate visibility. Consequently, critical projects like ensuring a strong disaster recovery plan or bolstering enterprise security with robust standards and automation get moved toward the bottom of the list–until a major system failure or security breach exposes the company.
“Just like we vigorously test automobiles and medical equipment, we should have rigorous standards and compliance enforcement with new technology. It’s simply negligent to apply new technology to a system without making certain sensitive data is not exposed,” said Reeves.
However, with the growth of citizen development and user-controlled IT operations in companies, improving security processes should not be at the bottom of any project list. Instead, CIOs must advocate for more robust IT security by creating awareness of risk management for the CEO, the board, and other C-level executives.
SEE: Getting ready for the GDPR: An IT leader’s guide (Tech Pro Research)
How can CIOs avoid these potentially career-threatening circumstances? Below are five recommendations on how to ensure that new technologies and systems are properly secured.
1. Mandate corporate security standards are applied to any new technology before deployment.
This step is absolutely necessary, as more IT control is placed in the hands of end users eager to deploy as quickly as possible.
2. Secure C-level and board support for universal application of security standards
IT can’t enforce universal security standards without board-level, CEO-level, and C-level buy-in. If commitment appears lukewarm, end users controlling the systems will work around guidelines and security vulnerabilities will still exist. The same goes for IT. If IT staff only half-heartedly enforces security standards, it may cut code and install systems–leaving security conformance behind if there are deadlines to meet.
3. Automate security processes whenever possible
The more you can automate security processes and checkpoints to ensure robust security, the more you can eliminate human error.
4. Continuously improve security as threats change
Hackers know their trade, so they are continuously inventing new ways to hack and penetrate networks. Your security risk assessments and methods also need to adjust as needed.
5. Link IT security management with the organization’s overall risk management assessments
IT security needs to rank as high as market and financial risk assessments. This way security’s importance will obtain better visibility in the eyes of CEOs, the board, and C-level executives.