The end of another year demands a certain amount of reflection – both personally as well as professionally. The New Year naturally prompts us to consider what we’ve accomplished during the last twelve months, and dupes us into creating lofty goals for the days and weeks ahead. Maybe we can blame it on bubbly-induced optimism. The goals are usually well intended, but often fall short and victimized by a lack of proper planning and resource dedication. The year 2006 was no exception for the world of corporate IT.
I look back at the year of 2006 and think of it as the year of the data breaches. The topic of data breaches garnered more IT news headlines than any other technology story of note. There was a several month span where it seemed like every other day brought a new report of a data breach by a major corporation, government office or school. Among the many reported data breaches across the country were some high profile incidents involving the U.S Department of Veterans Affairs, Ohio University (3 times; take a bow OU), Broward County and Wells Fargo to name but a few.
There are many reasons for the increase in data breach disclosures. Surprisingly, the increase should not be attributed to a concerted effort by hackers or organized crime; at least no significant amount should be. It can’t even be said that there was a significant increase in the number of data thefts and breaches compared to previous years. No, the only accurate thing to say is that there was an increase in the number of reported incidents.
We partly can thank California for passing a law in 2003 that requires companies to disclose data breaches to affected individuals. The first major breach reported was by a company called ChoicePoint in 2005, and since then there has been a steady stream of disclosures from organizations located all over the country. Most states have followed California’s lead and enacted similar disclosure laws. In the meantime though, it has become best practice to report a potential data theft regardless of whether the company is located in a state with full disclosure laws.
Most reported “breaches” are due to misplaced equipment and personal data posted insecurely, not because of hacked networks, although targeted attacks do account for a small percentage. The reason the breaches are reported is to alert individuals to potential identity theft. It’s no surprise that the potential for identity theft is greater today than it has ever been, and it will continue to increase every year for the foreseeable future. The amount of private data being stored electronically is growing daily. Virtually every interaction a person has with a public or private entity is recorded and stored – somewhere (hopefully secure). If the data wasn’t originally stored electronically, chances are excellent that it has been or soon will be converted to an electronic record (e.g., electronic medical records).
The main way for companies to protect themselves from becoming another full disclosure casualty in tomorrow’s headlines is to aggressively educate their employees about the proper handling of private electronic data, and then to implement corporate policies that actually protect against inevitable security snafus. This directive must come from the top – from the CIO all the way down to the front-line managers. It has to be a company initiative, a New Year’s resolution if you will. If securing electronic data is not a stated objective in the company’s list of corporate goals for the next fiscal year, then data security will sadly not get the attention it is due.
Methods for guarding against data breaches, other than employee education and sound corporate policies, include encrypting data and communications, and continuing the trend of bringing data back to the data center where it can be better protected. Thin client computing through technologies such as Citrix MetaFrame and Windows Terminal Services can help ensure that data is stored in a secure location and not on a piece of equipment which can walk out the door and into the wrong hands. If it must be stored locally or on removable media, encrypt it.
Also, helping further the cause of identity protection is companies choosing to use personal identifiers rather than Social Security Numbers. Consumers are at least becoming more educated to the danger of identity theft and demanding that companies use something besides their SSN.
The year 2007 will continue to see an increased number of reported data breaches despite the fine public examples of how not to secure private electronic data in 2006. This isn’t necessarily bad, as it is an indicator of the attention continuing to be paid to the subject. We should be more concerned if data breaches and security disappear from the headlines altogether. However, the sad truth is that most companies will not place enough emphasis on securing their customers’ and employees’ data until a security incident happens to them. Of course by that time, a replacement CIO is usually in charge and some poor IT analyst is out of a job. Here’s hoping that we’ve learned some valuable lessons from 2006.