Data breaches. The
number of reported data breaches involving sensitive private information at
organizations and companies is growing at an alarming pace. I click the refresh button for my RSS news
feed if it doesnt flash a data breach story at some point during the day. I havent had to manually refresh much
lately though, have I? There is an
abundance of data security stories not just in the IT trade magazines and on IT
focused web sites, but also in mainstream media outlets. Its front page news read by millions of
people, many of whom arent knowledgeable or concerned with much of the general
happenings of corporate IT. But I feel
compelled to chime in with my two cents anyway, even though there are plenty of stories and opinions already
posted on the topic.
My take is a little different though. I view the reports of data breaches at
government offices, schools, banks and corporations as a good sign. Thats right; I said its a good sign there are so many reported
data breaches. It tells me there is
finally a focus on protecting private data.
The truth is, not until Congress passed laws such as Sarbanes-Oxley
and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and states such as California
passed laws requiring full disclosure of data breaches, agencies and
corporations were largely self-governed and lax with data securitypractices.
The key to my absurd statement focuses on the word reports. You see, data breaches (i.e., the loss of
sensitive private information) have been occurring for many years. It wasnt until recently that corporations
took the topic seriously and began being forced to disclose security lapses. Thanks to consumer advocacy and watchdog
groups such as the Privacy
Rights Clearinghouse and regulatory laws like HIPAA, senior executives are
being held ultimately responsible for protecting private data and maintaining regulatory
compliance. It is the threat of severe
criminal and civil penalties that is persuading CEOs to dedicate valuable and
scarce resources to securing consumer data.
What else would cause executives to spend money and time on somethingthat doesnt directly affect the bottom line?
The data breach reports are significant because companies previously
didnt place much emphasis on data security.
Blocking hacking attempts and viruses got the most attention, with efforts
mainly focused around keeping hackers on the outside through perimeter defenses
such as hardware firewalls and wireless network encryption. But not much effort went into developing
sound data handling procedures. The
reports of data breaches are both embarrassing and damaging to the responsible
companies, and ensure that more resources will be dedicated to reducing future
incidents. And while some data breaches
are occurring because of hacking attempts and viruses, most reports describe
incidents involving employees losing laptops or portable media devices, or lapsesin judgment.
Change takes time though; especially change involving
business process flow. Many organizations
are still in the very early stages of evaluating and implementing solutions to
mitigate security risks. Common IT-based
solutions involve implementing federated identity-management systems, utilizing
encryption and using thin-client technology to access data stored centrally in
a secure data center. Procedural
solutions include creating access control lists and determining exactly who
needs access to which systems, performing routine self-audits and training
staff to properly dispose of and protect sensitive data (e.g., shredding confidentialdocuments and knowing not to post private data on insecure web sites).
For example, when I started in healthcare IT in the late 90s,
a stroll down hospital hallways revealed computer screens with patient data
clearly visible, computers logged into the network with generic accounts, and
applications that required no authentication.
Fast-forward to 2006 and those same hallways now reveal screen filters
on all monitors, staff using unique login credentials and applications with
either integrated directory services based authentication or a separate application
layer login. Security committees even
exist now with members from various departments who focus on ensuring the
company maintains HIPAA compliancy. How
to secure data has become a focus when discussing upgrading or installing a newsystem, not an afterthought.
So again I say the frequent reports of data breaches are a
welcome site. And while it indicates we
still have a long way to go to reduce security risks, it also proves there are
watchful eyes on the companies storing sensitive private information. This will take time, but a quick glance topast security practices shows just how far we have already come.
As always, let me know your thoughts, and while youre at it, check out these recently added resources on TechRepublic.