The black market value of this data is incalculable. Yet, the penalties of this level of incompetence, by the companies concerned, are minimal. There are many examples of billion dollar companies getting fines of several million dollars. It is very easy to pay these fines rather than take action to address the security issues.
The Video Bars, on the right of your screen, provide interesting background into this topic ====>>>>
Where is the security failing?
Well, dissecting this issue objectively, there are a number of areas where data breach is highly probable.
- Hacking from external sources. Security technology has matured very quickly to help address this danger, however, hacking techniques are also evolving rapidly. Organisations must keep their firewalls and validation techniques up-to-date if they are to keep external hackers at bay.
- Internal fraud - Numerous security studies have shown that threat from internal "users" is significant and growing. Security privileges of employees are too generous - this must be tightened up so that data access is restricted to what is needed to perform the job function. Historically, when staff were employed "for life", loyalty was the guardian of sensitive data. In the present climate there is no such thing as job security. Employees do not consider loyalty as a primary consideration of their employment contract.
- Outsourcing - Running Call Centres and IT functions off-site or offshore is now the norm. Why not? It is more cost effective and enables organisations to drive up their margins. With modern advances in telecommunications and computer technologies, staff in India (or for that matter, in China) are able to operate shifts 24x7 to provide support across the globe. There is one major weakness in this model. From a security perspective, organisations are exposing themselves to a major threat. They have no direct control over how their data is used and/or abused! There is a heightened temptation to "earn" extra by simply copying "innocent" data onto a USB memory stick and handing it over to an uncle, brother or friend outside the company. Numerous undercover investigations have proven this to be the case, with any of us potentially becoming one of millions of victims of this crime.
Is there a practical solution to minimising risk of data theft?
There are many ways to skin a cat...and there are many ways to reduce or deter data breaches. Here we are going to discuss two areas which pose the biggest threat.
Use of data by "approved users"
Approved users are those people who are authorised to access customer or other data that may be considered sensitive, for example Call Centre staff. They need to be able to access this data to do their job. In this situation it is imperative that a CCTV type monitoring technology be implemented to record all information access. This must provide full audit capabilities (user names, timestamps and data accessed), delivering a complete forensic trail if a data breach were to take place. This in itself acts as a deterrent - the "CCTV" technology must be publicised to the user community.
Use of "live" data for IT testing purposes
IT management and "staff" alike have this in-built superiority complex that lead them to think that all data is safe in their hands. The number of times I have heard responses such as "We never allow data to go off-site" or "we don't hold any sensitive data" is beyond belief. The best one is "All our staff have signed a Non-Disclosure Agreement (NDA)" - It is re-assuring to know that all those who refused to sign the NDA were not employed ... exactly how dumb do you think your average fraudster is! (Note to self: Take a deep breath...)
Technology poses the risk. Technology also provide the solution. IT software vendors have reacted to the data protection issues that face all of our organisations. They have developed software that can take "live" data and desensitise it, without turning it into unusable rubbish. It fact, it can scale down the volume of data such that it is more practical for use in testing environments. One such software vendor is Compuware, a U.S. based company at the leading edge of data privacy solutions across n-tier systems, including Mainframe. They have recognised that simply selling a "tool" is not enough. Their solution encompasses a defined methodology and staff whose full time job is to deliver data privacy projects. Having identified this, businesses really have no excuse for not protecting our data.
In Conclusion
It seems that the only organisations that are currently serious about facing their data privacy challenges are those that have been hit by breaches AND have received sufficient bad press that they fear the loss of losing market share in their sector. Brand damage is a difficult wound to recover from.
The current penalties for not protecting sensitive data are relatively insignificant, in the grand scheme of things. Government bodies themselves are not excluded from such incompetency - we should not hold our breath for Government to increase penalties for non-conformity of the Data Protection Act (DPA).
So where do we go from here? All suggestions welcome.
3 comments:
I work for a large high street bank in the UK. We use copies of our live databases for testing our software. All employees have to sign confidentiality agreements regarding protecting customer data. I have been happy with this in the past. What changed my view was when one of our test reports included details about my savings accounts - that really hurt. Ever since then I have been trying to get our management to review our policy on use of live data for testing. It is still seen as a low priority because our auditors have not flagged this as a compelling issue. I have since closed my savings account and moved it to another bank. No doubt they will have the same issues but at least my colleagues will not have a view of my details!
Short of the government enforcing the DPA legislation more stringently, I don't know what else will force banks to take more care of customer information.
In light of the British Parliament's expenses scandal, it was interesting to note that the House of Commons saw fit to publish redacted versions of MPs' receipts. Why? Well we are told that this is to stay within the boundaries of the data protection act. Items such as the MPs' address have been hidden. I have worked in a number of organisations where this type of information is made available to out software testers, whether they are internal or outsourced. We had no control over how that data was used. There were no audit logs kept or strict access control implemented. The Information Commisioner's office seems impotent when it comes to looking after the interests of everyday citizens. My current paymaster, I am happy to say, is engaging with Compuware to implement a process where we can totally desensitise the data in our test environments. We have called in the experts because our customer information is recognised as an asset. Let's hope other companies see sense in the not too distant future.
Following on from the previous comment, it is worth noting that the scope of the redaction was far more that merely the MPs' address details. See full details on the hiperlink on my name. The parliament website states "The scans have been edited to remove information which could cause serious security issues and breach the privacy of the MP, their staff and other third parties." What a pile of doodoo! Have a look at all the 'black ink' on the expense documents and you will that this has been used as an excuse to further hide their embarrassment!
Any way ... protecting customer information is something I feel that all organisations should be obliged to do. More heavier penalties are needed before the CIO and other board members take this matter seriously.
Great post, by the way.
Post a Comment