Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/12/2007
05:30 AM
50%
50%

If Data Were Like Cash

Then it wouldn't be acceptable to leave it in an employee's car, or worse, lose it

According to a recent study, some companies have customer-data losing events six times a year. (See A Breach a Month – Or More.) Take a moment to let that sink in: I'll wait.

Back yet? Good. Let me be blunt: If you don't think it would be acceptable for the closing store clerk to leave the day's deposit sitting on the roof of his car as he drive off, then you shouldn't think it's remotely acceptable to lose customer data. For it to happen every couple of months shows a disregard for customer information that is simply unfathomable.

When a company suffers repeated data-loss incidents, it tells me that there is a cultural problem that grows from the CEO's office. The people who run a company have to treat data as an important asset and make sure that everyone in the company treats it as such if there's going to be any hope of real security. The organization will have to invest in audits and training, and the executive suite has to be willing to accept those costs with a smile if employees are expected to believe the firm is serious about the issue.

There are other things that organizations need to do, and they range from easy to more complex. Does your company do any of these?

  • Personel bonding: Bonding employees who handle large sums of cash is commonplace. Bonding employees who handle large quantities of critical customer and internal data should become commonplace as well.

  • Audit time: It's OK to be happy that your company isn't covered by any of the major IT regulations. It's not OK to use that as an excuse to avoid performing security audits on your people, processes, and technologies. Build it into the system at implementation, and you'll find it far easier to make auditing part of the ongoing process.

  • Train of thought: Make training in properly handling sensitive data an ongoing part of your IT staff's life. Start when they're hired, repeat when they're promoted, and keep it up throughout the year.

  • Work your plan: Plan for success, but have a process in place to handle a data-loss event. After you've created the plan, practice the processes contained in the plan at least once or twice a year. There's always staff turnover -- so someone will be seeing the process for the first time when you go through a drill.

Cleaning up a data spill is messy and expensive. Work with your staff starting the first day they're hired, and convince them that it's not worth the risk to become careless or greedy. Convince them that you're serious, and your security job becomes much, much easier.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
CVE-2020-13245
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...