The black market value of this data is incalculable. Yet, the penalties of this level of incompetence, by the companies concerned, are minimal. There are many examples of billion dollar companies getting fines of several million dollars. It is very easy to pay these fines rather than take action to address the security issues.
The Video Bars, on the right of your screen, provide interesting background into this topic ====>>>>
Where is the security failing?
Well, dissecting this issue objectively, there are a number of areas where data breach is highly probable.
- Hacking from external sources. Security technology has matured very quickly to help address this danger, however, hacking techniques are also evolving rapidly. Organisations must keep their firewalls and validation techniques up-to-date if they are to keep external hackers at bay.
- Internal fraud - Numerous security studies have shown that threat from internal "users" is significant and growing. Security privileges of employees are too generous - this must be tightened up so that data access is restricted to what is needed to perform the job function. Historically, when staff were employed "for life", loyalty was the guardian of sensitive data. In the present climate there is no such thing as job security. Employees do not consider loyalty as a primary consideration of their employment contract.
- Outsourcing - Running Call Centres and IT functions off-site or offshore is now the norm. Why not? It is more cost effective and enables organisations to drive up their margins. With modern advances in telecommunications and computer technologies, staff in India (or for that matter, in China) are able to operate shifts 24x7 to provide support across the globe. There is one major weakness in this model. From a security perspective, organisations are exposing themselves to a major threat. They have no direct control over how their data is used and/or abused! There is a heightened temptation to "earn" extra by simply copying "innocent" data onto a USB memory stick and handing it over to an uncle, brother or friend outside the company. Numerous undercover investigations have proven this to be the case, with any of us potentially becoming one of millions of victims of this crime.
Is there a practical solution to minimising risk of data theft?
There are many ways to skin a cat...and there are many ways to reduce or deter data breaches. Here we are going to discuss two areas which pose the biggest threat.
Use of data by "approved users"
Approved users are those people who are authorised to access customer or other data that may be considered sensitive, for example Call Centre staff. They need to be able to access this data to do their job. In this situation it is imperative that a CCTV type monitoring technology be implemented to record all information access. This must provide full audit capabilities (user names, timestamps and data accessed), delivering a complete forensic trail if a data breach were to take place. This in itself acts as a deterrent - the "CCTV" technology must be publicised to the user community.
Use of "live" data for IT testing purposes
IT management and "staff" alike have this in-built superiority complex that lead them to think that all data is safe in their hands. The number of times I have heard responses such as "We never allow data to go off-site" or "we don't hold any sensitive data" is beyond belief. The best one is "All our staff have signed a Non-Disclosure Agreement (NDA)" - It is re-assuring to know that all those who refused to sign the NDA were not employed ... exactly how dumb do you think your average fraudster is! (Note to self: Take a deep breath...)
Technology poses the risk. Technology also provide the solution. IT software vendors have reacted to the data protection issues that face all of our organisations. They have developed software that can take "live" data and desensitise it, without turning it into unusable rubbish. It fact, it can scale down the volume of data such that it is more practical for use in testing environments. One such software vendor is Compuware, a U.S. based company at the leading edge of data privacy solutions across n-tier systems, including Mainframe. They have recognised that simply selling a "tool" is not enough. Their solution encompasses a defined methodology and staff whose full time job is to deliver data privacy projects. Having identified this, businesses really have no excuse for not protecting our data.
In Conclusion
It seems that the only organisations that are currently serious about facing their data privacy challenges are those that have been hit by breaches AND have received sufficient bad press that they fear the loss of losing market share in their sector. Brand damage is a difficult wound to recover from.
The current penalties for not protecting sensitive data are relatively insignificant, in the grand scheme of things. Government bodies themselves are not excluded from such incompetency - we should not hold our breath for Government to increase penalties for non-conformity of the Data Protection Act (DPA).
So where do we go from here? All suggestions welcome.
