Before assets can be protected, companies need to understand what has accumulated in their databases, reports Alan Earls.
The 280,000 people who saw their Social Security numbers exposed and the additional 500,000 individuals who learned that other personally identifiable information (PII) was compromised when cyber security criminals believed to be operating out of Eastern Europe attacked a Utah Department of Health (UDOH) server in March probably were none too happy at the news. And most assuredly, the stress they must have felt likely failed to dissipate when Utah's Governor Gary Herbert recently fired the head of the state's Department of Technology Services (DTS), which was responsible for incident response after the event occurred, as well as hired the state's first health data security ombudsman.
What made the incident worse was that UDOH made several publicly released misstatements about the numbers impacted, declaring much smaller pools of individuals affected by the compromise. Now, not only is Herbert correct to take a conciliatory tone, having apologized to the public for failing “to honor” the commitment to protect the state's citizens and their private information, he and UDOH staff are, at least, a bit on course in turning to one of the leading consultancy practices, Deloitte, to conduct an audit of its IT systems.
Just the same, however, the compromise has fast become an example of what not to do when it comes to protecting PII and releasing information to the public. It also has revealed just how badly things can go wrong when the right security controls, risk management plans and incident response strategies are not in place. Indeed, understanding fully any organization's PII exposure is the first step to preventing a breach or exposures, say many experts. That is because, “PII is the most sensitive information you can store in your network,” says Torsten George (right), vice president of worldwide marketing and products for Agiliance, a Sunnyvale, Calif.-based provider of governance, risk and compliance solutions.
There have, in fact, been a spate of data breaches which have caused growing alarm in businesses, government and the population in general, says Joseph Santangelo (left), principal consultant with Axis Technology, a Boston-based IT consultancy for data management and security. The massive amount of PII and personal health information (PHI) that now exists in corporate networks can be stolen or compromised, he says. Indeed, since 2009, there have been breaches affecting more than 19 million individuals.
A main problem that likely has led to many of these breaches is that, unfortunately, too many organizations are not always aware of what PII exists in their network, how many instances of the same PII are duplicated in different corporate environments, and who has access to this data.
Further complicating the data protection conundrum is the likelihood of insider attacks. Not only are there breaches of PII undertaken by ‘trusted' insiders on purpose – whether they're disgruntled or looking for a quick buck – but there are those who mistakenly and unknowingly expose this data.
The biggest unknown, though, is how much of the problem goes unreported. It's difficult to catch someone who abuses their access privilege to view records when that activity might be mistaken for “normal” under ordinary circumstances, Santangelo says. “No one has ventured to guess the cost of damage insiders really cause,” he says.
Reacting to legislative changes, developing a complete understanding of internal networks and preventing both internal and external breaches are now central concerns of organizations, their shareholders and customers, says Santangelo. And that's not even considering the potential contractual issues involved with PII when working with business partners and third parties.
The good news is that a growing number of organizations are translating their concerns about PII into action. Rob Rachwald, director of security strategy at Imperva, a Redwood Shores, Calif.-based data protection company, says step one is to “know what you don't know.” In other words, companies must try to identify what PII they have and where it sits.
“Today, many firms can't effectively identify how many databases they have,” says Rachwald. “Also, they may not know how much SharePoint deployments have proliferated – and SharePoint contains tons of unstructured data.” (SharePoint is an online collaborative software.)
However, Alan Brill (left), senior managing director at Kroll Advisory Solutions, a provider of intelligence and scalable technology solutions with global headquarters in New York, says determining what PII the corporation holds is easier said than done.
Once one knows what's out there, the next step is to pare down which fields of all those records are needed, he says. “See if you actually use the data you collect in specific identifiable business processes,” he says. “If you don't need an element of data, don't collect it. And if you do need it, determine for how long it is needed.”
Further, this is an ongoing exercise. One has to repeat the process regularly and update controls at every stage. “Don't do this alone,” he says. “Work with business leaders, management, counsel and risk managers to succeed in managing the cyber risk,” he says.