Before assets can be protected, companies need to understand what has accumulated in their databases, reports Alan Earls

The 280,000 people who saw their Social Security numbers exposed and the additional 500,000 individuals who learned that other personally identifiable information (PII) was compromised when cyber security criminals believed to be operating out of Eastern Europe attacked a Utah Department of Health (UDOH) server in March probably were none too happy at the news. And most assuredly, the stress they must have felt likely failed to dissipate when Utah’s Governor Gary Herbert recently fired the head of the state’s Department of Technology Services (DTS), which was responsible for incident response after the event occurred, as well as hired the state’s first health data security ombudsman. 

What made the incident worse was that UDOH made several publicly released misstatements about the numbers impacted, declaring much smaller pools of individuals affected by the compromise. Now, not only is Herbert correct to take a conciliatory tone, having apologized to the public for failing “to honor” the commitment to protect the state’s citizens and their private information, he and UDOH staff are, at least, a bit on course in turning to one of the leading consultancy practices, Deloitte, to conduct an audit of its IT systems. 

Just the same, however, the compromise has fast become an example of what not to do when it comes to protecting PII and releasing information to the public. It also has revealed just how badly things can go wrong when the right security controls, risk management plans and incident response strategies are not in place. Indeed, understanding fully any organization’s PII exposure is the first step to preventing a breach or exposures, say many experts. That is because, “PII is the most sensitive information you can store in your network,” says Torsten George (right), vice president of worldwide marketing and products for Agiliance, a Sunnyvale, Calif.-based provider of governance, risk and compliance solutions. 

There have, in fact, been a spate of data breaches which have caused growing alarm in businesses, government and the population in general, says Joseph Santangelo (left), principal consultant with Axis Technology, a Boston-based IT consultancy for data management and security. The massive amount of PII and personal health information (PHI) that now exists in corporate networks can be stolen or compromised, he says. Indeed, since 2009, there have been breaches affecting more than 19 million individuals. 

A main problem that likely has led to many of these breaches is that, unfortunately, too many organizations are not always aware of what PII exists in their network, how many instances of the same PII are duplicated in different corporate environments, and who has access to this data. 

Further complicating the data protection conundrum is the likelihood of insider attacks. Not only are there breaches of PII undertaken by ‘trusted’ insiders on purpose – whether they’re disgruntled or looking for a quick buck – but there are those who mistakenly and unknowingly expose this data. 

The biggest unknown, though, is how much of the problem goes unreported. It’s difficult to catch someone who abuses their access privilege to view records when that activity might be mistaken for “normal” under ordinary circumstances, Santangelo says. “No one has ventured to guess the cost of damage insiders really cause,” he says.

Reacting to legislative changes, developing a complete understanding of internal networks and preventing both internal and external breaches are now central concerns of organizations, their shareholders and customers, says Santangelo. And that’s not even considering the potential contractual issues involved with PII when working with business partners and third parties.

The good news is that a growing number of organizations are translating their concerns about PII into action. Rob Rachwald, director of security strategy at Imperva, a Redwood Shores, Calif.-based data protection company, says step one is to “know what you don’t know.” In other words, companies must try to identify what PII they have and where it sits. 

“Today, many firms can’t effectively identify how many databases they have,” says Rachwald. “Also, they may not know how much SharePoint deployments have proliferated – and SharePoint contains tons of unstructured data.” (SharePoint is an online collaborative software.)

However, Alan Brill (left), senior managing director at Kroll Advisory Solutions, a provider of intelligence and scalable technology solutions with global headquarters in New York, says determining what PII the corporation holds is easier said than done. 

Once one knows what’s out there, the next step is to pare down which fields of all those records are needed, he says. “See if you actually use the data you collect in specific identifiable business processes,” he says. “If you don’t need an element of data, don’t collect it. And if you do need it, determine for how long it is needed.” 

Further, this is an ongoing exercise. One has to repeat the process regularly and update controls at every stage. “Don’t do this alone,” he says. “Work with business leaders, management, counsel and risk managers to succeed in managing the cyber risk,” he says.

The compliance crunch

An extra layer of urgency is added when considering adherence to regulations. When it comes to compliance, again the first challenge is figuring out with which mandates one needs to comply, though in general, being aware of what data one has and demonstrating proper controls over it helps meet most compliance requirements. 

“Typically, an intelligent and comprehensive security strategy will, by default, address compliance needs,” says Rachwald. On the other hand, he says, too many organizations attempt to mollify compliance auditors at the expense of truly effective security by adopting a simple “checklist” approach, rather than truly understanding and addressing the problem.

And, sometimes the requirements are unclear. “Clarity and cost are the two most common concerns when it comes to compliance,” says Sanjay Raja, director of product marketing – TippingPoint at Hewlett-Packard. For example, he says the Payment Card Industry Data Security Standard (PCI DSS) sets guidelines for process, technology and policy for any company, organization or government body involved in the transaction of payment information. It is enforced through fines, penalties or suspension from processing payments. 

And bills currently making their way through the legislative process may not clarify issues. According to Jerry Irvine, a member of the National Cyber Security Task Force, and CIO of Chicago-based Prescient Solutions, an IT outsourcer, there is currently no new legislation targeted toward the protection of PII. Neither the House-sponsored Cyber Intelligence Sharing and Protection Act (CISPA) nor the Senate-sponsored Protecting Cyberspace as a National Asset Act of 2010 defines PII requirements. However, he says, “there are proposed amendments to CISPA to limit the inclusion of PII from shared information.”

“Typically, an intelligent and comprehensive security strategy will, by default, address compliance needs.”

– Rob Rachwald, director of security strategy at Imperva

Still, there is plenty to worry about under existing regulations. For instance, says Irvine, the Health Insurance Portability and Accountability Act (HIPPA) provides for a fine of up to $50,000, or up to one year in prison, or both, for release of personal information. If the offense is committed under false pretenses, a fine of up to $100,000, and up to five years in prison, or both, is mandated. And, if the offense is committed with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, a fine of up to $250,000 or up to 10 years in prison, or both, is possible.

“In general, if loss of PII by a company is intentional or determined to be caused by negligence or failure of ‘due diligence,’ other laws, regulations and or penalties could apply, including jail time,” Irvine says.

Taming vulnerabilities

There is no one golden application or process that will magically provide protection and compliance for PII. Rather, says Irvine, companies need to establish a series of IT policies, processes and standards to manage their environment and that, in turn, requires a full understanding of the business strategy. 

“These policies need to be developed and supported by the executive team,” he says. “Once determined, a complete IT inventory needs to be completed defining core systems, applications and data and the potential risks of loss of these IT assets.”

The next step companies should consider, says Irvine, is investment in three areas. First, an application scanner (fusers, web crawlers, and more) which searches for the existence of vulnerabilities (i.e., SQL injections, cross-site scripting). These flaws can allow systems to be breached or redirected with the consequence of data lost. 

Second, he recommends vulnerability scanners. While application scanners look only at the applications, vulnerability scanner devices search systems for anomalies in configurations, operating systems and applications. Items reviewed include accessibility of systems, missing updates, legacy applications with known vulnerabilities and more.

Finally, Irvine suggests enterprises implement information rights management (IRM) and digital rights management (DRM) processes and applications. These tools aid in the supervision of access control processes. These applications have the ability to encrypt data and report on access, including blocking data duplication, printing and transmission.

But, even that still might not be enough. Organizations should look at the wide benefits of encryption in general, says Todd Thiemann (left), senior director of product marketing at Vormetric, a San Jose, Calif.-based provider of enterprise encryption products. “This technology provides a safe haven for companies if there is a breach,” he says. 

ANd, should a company experience a high-profile loss event, they should develop, update and regularly exercise their disaster recovery and crisis contingency plans, says Tom Lambakis, vice president of information security consulting at Control Risks, a global risk consultancy with 34 offices in more than 100 countries.

Another challenge today is that many companies have locked themselves into old spending patterns, says Rachwald. Specifically, they overspend on network firewalls and anti-virus applications, which do little to actually protect data. Rachwald says those technologies are needed, but should be supplemented with employee training and efforts to protect data that are more “intelligent.” 

Fortunately, he says, paying the bill for those additional investments may start to get easier. “Line-of-business owners are taking a greater interest in cyber security,” he says. “More and more, we see budget and ownership being shared between security and business owners.” 

Photo: South Carolina Department of Health and Human Services Director Anthony Keck talks about a major security breach of data in his agency’s office.

Alarm: Data leakage

Major breaches of PII in the past few years have included:

  • Heartland Payment Systems had 130 million payment records compromised.
  • TJX Companies had 94 million transactions compromised.
  • Sony had two, the first impacting 77 million and another where 25 million people were effected. 
  • U.S. Department of Veterans Affairs had the data of 26 million people compromised.
  • A former employee of the South Carolina Dept. of Health and Human Services was arrested after allegedly downloading the personal information of more than 228,000 Medicaid beneficiaries. 
  • The Tricare Military Health program and its Business Associate, Science Applications International had a breach which impacted almost five million individuals.