Security News > 2006 > January > When Data Goes Missing: Will You Even Know?

When Data Goes Missing: Will You Even Know?
2006-01-25 06:33

http://www.computerworld.com/managementtopics/management/story/0,10801,107967,00.html Advice by Jack Gold JANUARY 23, 2006 COMPUTERWORLD Recent reports of company-compiled personal data gone missing (such as Marriott losing many thousands of vacation club records), while clearly important, is really just the tip of the iceberg. What customers really need to ask of companies is, What other data has been lost? And in all likelihood, there is absolutely no way for the companies to know. The truth of the matter is, reported cases of massive data loss are just the ones they know about. And this problem will only grow with the proliferation of tiny personal mass-storage devices of dramatically increasing capacity. How many people currently own flash memory drives? Tens of millions. And how many companies control the use of flash drives? You can count them on one hand. I travel a lot, and on a recent trek through airport security, I found a flash drive that had fallen under the security table. This lost drive had no distinguishing characteristics -- no labels to tell me who owned it or where he worked. With some time to kill before my flight, I decided to see if I could track down the owner. I had to invade the owner's privacy to see what I could discover from the content of the files. Turns out the files contained fairly innocuous content -- some project plans and a short PowerPoint in draft form -- but no way to identify the owner. (As a result of this experience, I have put a small .txt file on my devices with my name and address, and I figure an address label on the outside can't hurt either.) Why is this an issue? Well, for starters, the storage capacity of these devices is growing at the "silicon curve" rate. Within the next two to three years, instead of the 500MB or 1GB drives commonly available today, you'll be able to purchase for about the same money a stick-like drive of 10GB or greater capacity. What if an employee decided to download a customer database to one of these devices (say, to transfer the data to another machine) and then proceeded to lose it? Is the data protected from loss? Probably not, even though there are many devices now available that include encryption capability (which is rarely used). And what if a competitor picks it up? The potential to lose data on portable devices is a massive hole in most companies' security plans. The laws being passed in a number of states that require data loss to be reported to affected consumers work only if the company actually discovers the loss. With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically. Most companies attempting to come to terms with this problem are still aiming at technologies that are at least 10 years old (e.g., loss of data backup tapes), when an even greater potential mechanism for loss is increasingly appearing in their organizations with virtually no control and no disclosure, nor for that matter internal discovery. So what should companies do? Certainly I wouldn't suggest eliminating external memory devices, since they provide real benefit to many users. But companies must take steps, starting with user education on what is and is not appropriate use. Further, companies should track sensitive data with trails of user access. Finally, companies should employ techniques that can discover when devices are connected and by whom, and make sure such devices have protection enabled (or better yet, provide users who need them enterprise-class, protection-enhanced storage devices). It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices. But it would be better for them to formulate a proactive strategy now. Educate users, and deploy technology that will prevent data loss even if portable devices are lost. Educated users will be more aware of the ramifications of losing the valuable data that has become so easy to carry around. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org


News URL

http://www.computerworld.com/managementtopics/management/story/0,10801,107967,00.html