Organizations around the country lost over 250 million records in data breaches during 2013 alone. This startling statistic, compiled by the Privacy Rights Clearinghouse, corresponds to more than one record for every adult American. Those records include credit card numbers, health information, employment data and other sensitive information that may lead to identity theft for the individual and legal liability for the organizations responsible for securing those records. Every IT professional should understand the significant risks associated with storing, processing and transmitting sensitive data.
Fortunately, there are actions that you can take to prevent your organization from appearing in the next newspaper story covering a major data breach. By simply implementing some of the basic security controls taught in any security certification program, you can protect the sensitive information entrusted to your custody, keeping your reputation intact and preventing liability issues. In this article, I explain five of the top causes of data breaches and how you can protect your organization from falling victim to these common traps.
1. Keeping too much data around.
The biggest mistake that many organizations make is simply retaining too much sensitive data. It’s a tempting practice — if you have data about your customers, business partners, employees or other individuals, there is a natural urge to preserve it for unknown future needs. Creating these unnecessary data caches, however, increases the risk of a data breach by boosting both the number of locations where a hacker might steal data and the number of records they might obtain during a heist.
What’s the answer? Only keep sensitive information that you need for a legitimate business purpose. You should develop and implement a records retention policy that outlines how long you will maintain sensitive records. In addition, you may be able to remove or modify some unneeded data elements from your records to make them much less sensitive. For example, many organizations choose to truncate Social Security numbers and credit card numbers so that only the last four digits appear in their records. This is sufficient to make the file uninteresting to an attacker but still allow for some identification of accounts and de-duplication of records.
Masking Social Security Numbers so that the first five digits are replaced with X’s makes a file less sensitive but still allows employees to distinguish between the two Mary Smiths in the file.
One thing that IT professionals often forget is that sensitive information may be lurking in strange places. For example, one organization was shocked to discover that a PowerPoint presentation about its budget contained the SSNs of every employee in the firm. The presentation contained a chart that was built from an embedded spreadsheet containing records on all employees. The file wasn’t visible to the casual reader, but the data was there for the taking in the underlying data file. For this reason, you should consider using a sensitive information discovery tool to help you identify hidden caches of unwanted data.
2. Failing to encrypt laptops, mobile devices and removable media.
Organizations that do retain sensitive information often keep copies on portable devices that may be lost or stolen. This may be done to satisfy backup requirements — moving a copy of important records to a remote location. Traveling executives also sometimes require access to sensitive information on their smartphones, tablets and laptops. When one of these devices turns up missing, however, it creates a world of difficulty for IT personnel, who must assume that the device has fallen into unfriendly hands.
Fortunately, there is an easy solution to this problem — the use of encryption technology. Encryption uses mathematical algorithms to convert sensitive information into a form that is unreadable by anyone who does not have the password required to unlock the data. Many operating systems contain built-in encryption functionality that automatically obscures all sensitive information stored on the device. Enabling this technology can be a lifesaver in the event of a data breach.
The FileVault feature provided in Mac OS X offers a convenient, free way to encrypt all data stored on a Mac’s hard drive.
In addition to deploying encryption, organizations may wish to consider using a mobile device management (MDM) product to track and manage the proliferation of data on mobile devices. MDM software also often provides remote wiping capability, allowing administrators to trigger the purging of all data from a lost or stolen device.
Encryption isn’t just for devices, either. In addition to encrypting entire drives, you can also apply encryption to individual files and network communications sessions. This technology provides an important defense against eavesdropping, preventing outsiders from accessing sensitive information. Many businesses use encryption to allow the transmission of sensitive information over otherwise insecure means, such as sending files as e-mail attachments or uploading them to a cloud-based service over a standard Internet connection.
3. Poorly designed business processes.
Business processes that handle sensitive information should be carefully designed to ensure that the information is protected to the greatest extent possible. You should be able to document all of the business processes that use sensitive information and understand how that information is safeguarded at each step in the process. For example, you might have a hiring process that requires the use of SSNs to verify work authorization and to initiate payroll. A well-designed business process would ensure that SSNs are only available to the staff involved in those specific purposes. A poorly designed process might write the employee’s SSN on the front of a hiring folder that is passed around the entire HR department.
When it comes to sensitive information, you should be very careful about the design of your business processes. One best practice is to use business process mapping to document the transmission, storage and use of sensitive information throughout the process lifecycle. Once you have the process mapped, you’ll find it much easier to identify ways that you can minimize the exposure of that information and protect your organization against added risk.
4. Accidental publishing to the web or email.
Many data breaches occur because of innocent mistakes made by employees who unknowingly place sensitive information in a location where it is publicly accessible. This sometimes occurs when an employee posts a file to a website without realizing that it contains sensitive information or accidentally emails a file containing sensitive information to unintended recipients. In either case, once the data is publicly exposed, the organization has suffered a data breach.
Pay careful attention to office productivity documents that might contain remnants of sensitive information. One example of this is the revision history kept by many word processing applications. When a user deletes text from a document, the software maintains the deleted text as part of the revision history. If the document is not properly sanitized before sending, a recipient may be able to restore sensitive text that the sender intended to redact.
Organizations should take a two-pronged approach to preventing accidental publishing. First, you should strictly limit the number of employees who have access to sensitive information. If employees simply don’t have access to a file, you minimize the risk that they will be able to accidentally disclose it! Second, consider using a data loss prevention (DLP) product to scan the content of web and e-mail communications. Properly configured, a DLP system can detect and block attempted transmissions of sensitive information outside of a controlled area. The use of DLP technology has the potential to dramatically reduce the likelihood of a data breach.
5. Lack of appropriate access controls.
Once organizations take action to minimize the number of places where sensitive information is stored and the number of people who should have access to that information, their job is only half done. They must enforce these decisions with strong access control systems that restrict sensitive information to individuals with a valid business need to access it. Organizations that lack these controls are vulnerable to attacks waged by individuals who have legitimate accounts on the network but seek to misuse their access for malicious purposes. This risk, known as the “insider threat” is one of the most insidious causes of data breaches.
The most important step that you can take to protect your organization against improperly configured access controls is to perform regular auditing. Take the list of individuals with approved access to sensitive information and compare it to the settings in your access control system. When it comes to sensitive data, you should be able to correlate each access permission setting to a specific, documented business need.
Protecting sensitive information is of paramount importance to organizations of all shapes and sizes. Certified technology professionals must remain constantly aware of the changing threats to information security and the actions that they can take to defend the sensitive data placed under their care. Minimizing the use of sensitive information, making judicious use of encryption technology and designing access controls and business processes that limit accidental breaches are all important steps in building a robust information security program.