We need to include the "human element" in our identity protection schemes
Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses.
IT companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately we can't rely just on technology for identity protection.
While some of these security incidents involve someone hacking into a system, many involve a human failing. Examples include a laptop with confidential information being lost or stolen and employees e-mailing sensitive data to their personal e-mail accounts so they can work on it from home.
Network World recently tagged along an outside security audit of a Boston pharmaceutical company. They found "more than 700 leaks of critical information," such as Social Security numbers, pricing, financial information and other sensitive data in violation of the Payment Card Industry's standards. The publication also found serious lapses--more than 4,000--that ran counter to HIPAA and the U.S. Department of Defense's Information Assurance Certification rules.
Included in this were cases of sending out clearly labeled unencrypted confidential data. These lapses included both critical intellectual property, but also sensitive employee information.
It's not that the company was particularly lax. As the article states:
"While the CIO found these examples unsettling, he says it was the fact that they all happened within a six-hour span inexcusable. 'We thought we were in good shape. We had done internal and external audits in preparation for the Massachusetts Privacy Laws, we did extensive penetration testing, we have security tools such as intrusion detection and prevention and laptop encryption in place, and we do employee training. This just goes to show you can do all that and it's just not enough,' " the CIO said in the article.
We could take false comfort in the fact that at least this wasn't us. But the truth is, it probably could just as easily have been. So what can be done? I believe it is a combination of things, a so-called multi-layered security system based on both technology and human factors.
Some of the technology actions include:
- Implement "kill pills" on laptops that allow you to send a signal to lost or stolen laptops that deletes all data.
- In addition to the usual restriction of access to data, only allow data to be downloaded in an encrypted format, maintain logs of who is downloading data and the downloads should be reviewed by business staff security audit teams.
- E-mail filtering that scans outbound e-mail for keywords and confidential data.
- E-mail encryption technology.
The human factors include such things as:
- Training, but not just once when people are hired. Why not have annual training and "certification" on security and identity protection issues annually? We often do this for safety and environmental issues. Why not for identity and data protection?
- An awareness campaign for all employees, not just those that deal with sensitive data. We often assume that handling data "goes without saying," but it really doesn't. You have to explicitly let people know what is expected of them.
- Make it easy for people to keep data secure by providing easy-to-use tools and methods to securely transmit and encrypt data.
- Make protection of employee and customer data part of your company's culture. Does your company talk about this as part of their guiding principals? Is your attention to this issue part of your company's marketing strategy?
- Tell employees they are prohibited from using personal e-mail and computers for company business.
If you are dealing with customers and clients connecting with you via online, you have to include them in your security scheme even though you don't have direct control over them.
Vice-Presidential candidate Sarah Palin's Yahoo! e-mail account was hacked due in part to poor security design. Yahoo! allowed for a password reset based upon the requester answering some personal questions. The problem was that the hacker was able to determine the answers from publicly available data.
As everyone's online presence continues to grow with Facebook and other social media, asking which high school you went to or your pet's name may not be enough to truly identify you. Coupled with unlimited login attempts and resetting passwords, gaining control of an account was rather straightforward.
While we want to make things as simple as possible for our online customers we cannot forget that they expect us to protect their identity too and security should be improved. For example, my bank uses a site key that is composed of three elements. The first is a login and password using strong password rules that limit the number of login attempts before the account is locked. The second is an image and image title that I select that assures me I am on the real, and not a look-alike fraudulent, site. The third layer is that if the bank's system doesn't recognize my computer, it then asks me challenge questions in addition to the other provisions.
Protecting our employee's and customer's personal data is becoming an ever increasing concern and challenge. To do this properly, we must rely on our innate tools, not just the technology.
"Credit Card Theft" photo by d70focus
This article is also posted on Forbes.com. Feel free to join in the discussion either on this site or at Forbes.com
If this topic was of interest, you might also like these:
- Security and the Myth of the Superuser
- An "Ah Ha" Moment on Computer Security
- People and IT Security >
- Or the posts in the Security category
Recent Comments