According to a recent study, some companies have customer-data losing events six times a year. (See A Breach a Month Or More.) Take a moment to let that sink in: I'll wait.
Back yet? Good. Let me be blunt: If you don't think it would be acceptable for the closing store clerk to leave the day's deposit sitting on the roof of his car as he drive off, then you shouldn't think it's remotely acceptable to lose customer data. For it to happen every couple of months shows a disregard for customer information that is simply unfathomable.
When a company suffers repeated data-loss incidents, it tells me that there is a cultural problem that grows from the CEO's office. The people who run a company have to treat data as an important asset and make sure that everyone in the company treats it as such if there's going to be any hope of real security. The organization will have to invest in audits and training, and the executive suite has to be willing to accept those costs with a smile if employees are expected to believe the firm is serious about the issue.
There are other things that organizations need to do, and they range from easy to more complex. Does your company do any of these?
- Personel bonding: Bonding employees who handle large sums of cash is commonplace. Bonding employees who handle large quantities of critical customer and internal data should become commonplace as well.
- Audit time: It's OK to be happy that your company isn't covered by any of the major IT regulations. It's not OK to use that as an excuse to avoid performing security audits on your people, processes, and technologies. Build it into the system at implementation, and you'll find it far easier to make auditing part of the ongoing process.
- Train of thought: Make training in properly handling sensitive data an ongoing part of your IT staff's life. Start when they're hired, repeat when they're promoted, and keep it up throughout the year.
- Work your plan: Plan for success, but have a process in place to handle a data-loss event. After you've created the plan, practice the processes contained in the plan at least once or twice a year. There's always staff turnover -- so someone will be seeing the process for the first time when you go through a drill.
Cleaning up a data spill is messy and expensive. Work with your staff starting the first day they're hired, and convince them that it's not worth the risk to become careless or greedy. Convince them that you're serious, and your security job becomes much, much easier.
Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.