By Joanne VanAuken
As we come to the end of 2005, we might rename it «The Year of the Lost Record.» Among the data exposed during the year were 600,000 unencrypted records from Time Warner, 1.2 million federal employee records from Bank of America, 3.9 million records from Citigroup and the list goes on–and these are just the ones we know about. A LexisNexis executive recently told a Congressional committee he knew of at least one data theft that was never reported.
All this publicity has led end users and politicians to regard data loss as a full-fledged epidemic, but we know it’s nothing new–data loss and theft has been around since the first computers. But public opinion is now giving us the ammunition to prioritize labor and monies so we can properly understand and define business risks and develop more effective means of protecting data assets.
Why do the bad guys seem to be winning the war? Because data theft has become a lucrative criminal business–and because organizations have been making their data easy to steal. Let’s face it, many of this year’s breaches wouldn’t have occurred if the appropriate security infrastructure and controls had been in place. Frustrated security professionals are facing increasingly clever and hostile attackers, and the old ad hoc practices of security and backup are being exploited for criminal gain.
Solving the security problem means making good security practices the norm, rather than an afterthought. Patching, for example, becomes a crucial practice as malicious users scan for unpatched targets–this is especially critical after vulnerabilities have been publicly announced. Patching sounds simple, but it isn’t. Enterprises must spend more time testing patches prior to deployment, and vendors must develop a more streamlined approach to patch management, which continues to be a burdensome IT task.
;Make encryption another priority for 2006. When CitiFinancial’s package carrier lost its backup tapes en route to a credit bureau, it proved that data must be secured at every point of transit and at every organizational level. Encryption also plays a significant role in securing e-commerce transactions, protecting sensitive financial and medical information, and safeguarding trade secrets. So if you’re not researching encryption solutions that are scalable, easily managed and reasonably priced, start now (for more on storage-data encryption, see «Data Debacle».
In the end, though, security is really about how people behave online. With all the money and time we’ve invested in the latest security products, we’re still agonizing over end users clicking on innocent-looking e-mail attachments, plugging their infected home machines into the corporate network and being fooled by pop-ups and Web pages that appear legitimate. Security policies, then, should top your to-do list for the coming year–end-users must adhere to those policies and suffer the consequences if they don’t.