For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.
Neil Chesanow just published a very informative article for Medscape titled “Why Your Patients’ Data May Not Be Safe: 5 Steps to Protect It”
I had the pleasure of talking with Neil as he was writing the article and I must say that I’m impressed with the 5-step approach he outlines to prevent privacy breaches.
1. Develop a strict-but-realistic security policy
2. Control access to patient data
3. Monitor electronic health record (EHR) activity
4. Require more complex passwords
5. Encrypt all outgoing files
Although written from a medical/healthcare point-of-view, the steps can be applied to help any business or organization think through some of the issues surrounding the protection of sensitive and confidential files and data.
One of the more critical points that I believe Neil highlighted is how important it is to control access to confidential information. Access to sensitive files and data should only be granted to people that are required to use it as part of their job. Not every employee or external partner should have access to all company information…. And it’s easy enough to control and enforce access by applying simple rules and policies.
Monitoring, reporting and auditing file and data activity is another critical point raised by Neil. The ability to see who accessed sensitive information, when and how many times they access it, whether they moved or sent it to another location or person, and if/how the transmission and file itself was secured and encrypted are important pieces of information from both an internal security policy as well as compliance perspective. Believe me, you don’t ever want to turn down an eDiscovery judge’s request to provide an audit trail for a particular file or communication and not be able to provide it.
I just read an interesting article on MarketingWeek written by Richard Lees, chairman of dbg (The Database Group). Richard has spent the better part of 20+ years combining two of my passions: marketing and data. So I’m instantly interested in his opinion on data security.
So why are we so scared of data security? Probably because we see the aftermath of data scandals and know how debilitating to a brand they can be. Bad PR does not even come close.
So true! Not only have data breaches resulted in billions of dollars in damages, they have also single-handedly destroyed brands and killed entire businesses, and big ones at that. And trust me, organizations like TJX will be feeling the ramifications of their data breach for decades.
Richard sheds light on the growing perception of “inevitability” surrounding data breaches: “It’s so easy to get data processes wrong and everyone is always waiting for the real clanger to happen…The number of diverse touchpoints that are relatively loosely controlled means it’s far too probable that this can happen.”
And here’s one more soundbite that that drives home the point that many organizations aren’t yet taking even minimal precautions:
“It amazes me how some people still fail to do the basics such as merely password protecting data they are sending offsite, using secure file transfer protocols (SFTP)…It is remarkable how much customer data still moves around the internet every single day with very little control.”
Oh, and if you want more proof that sensitive files, data and documents aren’t safe, check out the WikiLeaks website that Richard references. Take a look at a few of the anonymous submissions of confidential documents and communications from governments and organizations around the world that we can all get to with just a few mouse clicks.
I’ve been sitting on some startling statistics for a couple weeks now, and it has been hard to keep my fingers quiet… But today is the day Ipswitch is sharing them with the world. Here are a few key takeaways from the survey that Ipswitch conducted at the recent InfoSecurity Europe 2010 show in London.
40% of IT professionals surveyed admitted to sending sensitive or confidential information through personal email accounts as a way to eliminate the audit trail of what they sent and to whom.
Let’s be clear: Almost half of IT professionals use their personal email as a way to send sensitive company files while hiding their activity from company auditing and reporting. Yikes, that’s a major security and compliance breach!
But wait, there’s more:
69% said that they send classified information, such as payroll, customer data and financial information, over email (with no security) at least once a month; 34% said they do it daily.
IT folks seem to be swayed by a similar set of drivers that as other worker bees – Namely, speed, convenience and the ability to send large files without the hassle.
This leaves us with an environment where IT professionals are:
(1) Feeling the same pains as their end users
(2) Smart enough to sidestep the very security and governance policies put in place
(3) Deliberately break company policy and controls as a way to hide what they are doing
And just establishing a file transfer policy isn’t enough. While 62% of organizations have file sharing policies in place, many don’t have the means or tactics in place to enforce them. Despite increasingly strict governance and compliance mandates, 72 percent of respondents said that their organizations lack visibility into files moving both internally and externally.
Organizations that lack true visibility, management and controls around sensitive information now find themselves wide open to all kinds of risks, namely data breaches and compliance. The fact that risk contributors include those tasked with protecting IT networks in the first place, and that it’s being done on a premeditated and recurring basis, just brings the whole situation to an entirely different level of ugly. Try explaining THAT to an eDiscovery judge!
I spent my morning reading through the 2010 Data Breach Investigations Report that was just published by the Verizon RISK Team and the United States Secret Service. This is an amazingly insightful report with lots of information to digest. If the topic of data breaches interests you, I highly recommend finding time to read through it.
Data breaches are scary. Nobody wants to be a victim… And nobody wants their company to be the next headline on the news.
Data breaches are expensive. According to the Ponemon Institute’s 2009 Cost of a Data Breach study, the average cost of each compromised record is $204.
Here are 5 quick recommendations that I’d like you to consider:
- Recognize your data: Before you can protect confidential, sensitive and important data you must first go through an exercise of identifying where it lives, who has access to it, how it’s handled, what systems it touches, and make sure any and all interactions with the data is fully visible and auditable.
- Take proactive precautions: The majority of breaches were deemed “avoidable” if the company had followed some security basics. Only 4 percent of breaches required difficult and expensive protective measures. Enforce policies that control access and handling of critical data.
- Watch for ‘minor’ policy violations: The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should investigate all policy violations. Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
- Monitor and filter outbound traffic: At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
- If a breach has been identified, don’t keep it to yourself: Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.
I’m going to end this blog post by asking you to estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.
I just finished reading a great article in Network Computing titled “Managed File Transfer Asserts Data Governance In Transit”. Author Neil Roiter hit the nail right on the head by calling out the importance of visibility and governance over person-to-person file transfers. And if you don’t believe us, just ask any eDiscovery judge!
Sure, organizations absolutely positively must carefully consider how to transfer staggering volumes of data between systems and servers, both inside and outside the organization – all with management, policy enforcement and visibility capabilities.
That being said, individual employees are sending files to other people too… And unless IT provides them with an easy-to-use process to accomplish this, they will find their own ways, such as personal email accounts, USB drives, online file sharing services, etc.
Increased focus on data security, governance, regulatory compliance and eDiscovery has really put pressure on IT to not only have complete visibility into the processes involved in data transfer, but ALSO THE PEOPLE. Frank Kenney, sums it up well in the article:
“MFT can bring (person-to-person) file transfer under the corporate governance umbrella. We can give people ad hoc technology and enforce the use of those technologies. We make capabilities dead easy to easy and enterprises have the right policies in place about how to use them. MFT products provide visibility and validation through dashboards, reporting, real-time updates on data transfer and audit trails.
Some day, an eDiscovery judge may ask you to provide an audit trail with proof of chain-of-custody for a particular file that has bounced around your company and between people. Here are just a few questions you’ll need to be able to answer: Who sent what? When? Where? To whom? Was it encrypted? And did it get there?
What will your answer be?