Hardly a day goes by that the news isn’t reporting some gross breach of security resulting from some idiot mishandling sensitive data.

The headline is usually something like “Atomic Weapon Plans Revealed in 6^th Grade Show and Tell.”  The story then relates how some kid takes Dad’s laptop into school and after bragging about dad’s Q level security clearance and shares Dad’s data with his friends. The result is a low-yield nuclear weapon winning first prize at the local science fair. The next thing you know, dad’s on “60 Minutes” sheepishly explaining that he left the laptop on the kitchen counter one day last month and “darned if little Bobby didn’t just pick it up thinking mom had bought him a new lunchbox.”

Maybe the data is not nuclear weapons technology. Perhaps, it’s credit-card data, medical information or confidential product plans for a company’s coming model year. Nevertheless, it is all potentially devastating to those whose information is revealed.

As I see it, there are two culprits at work here, both of which are creating more than a little havoc in the world of data security. First there is the malicious threat. This involves the intentional and deliberate destruction of or illicit distribution of sensitive data.  Second on my list is the threat that comes from our need for convenience. We not only want our data at the office, we also want it at home, on the plane, in the car, at the beach on vacation and virtually everywhere we go. We want nice, transparent security processes that don’t cause us any grief and at the same time, we expect these transparent processes to protect our data from any and all threats.

I analyzed some data on security breaches reported over the past 18 months or so. The results were really quite interesting.

Procedural Errors

Of the 203 cases that were reported, 32 breaches were due to procedural errors. That is my term, by the way. Included here were things like lost backup tapes, accidental access granted to unauthorized personnel and inadvertent exposure via web or e-mail. In other words, someone just messed up. These things happen.

During my early career in the microfilm business, I can recall an incident like this. We had filmed a bunch of patient records for a local medical center. During the process where the master film is duplicated for distribution, something happened that required us to re-duplicate the job. The “bad” duplicate was trashed.

A couple of days later, we got a call from a hospital administrator. It seems she had been driving to work when a 20-foot-long section of 35MM microfilm blew across the street and ended up caught in the windshield wipers of her car. It was a chunk of the “bad” film that had blown out of the dumpster during our trash pickup.

Hacked

The second category is hacked. In these cases, illegal users force their way into a system for the purpose of destroying and stealing data. Out of the 203 cases, 73 were blamed on this type of activity.

These guys act out of boredom, political/social activism, greed and revenge. Some are more sophisticated than others, but they are all dangerously anti-social.

Portability

The final large category of breach is what I will call portability.  By this, I mean that the very portability of the data, via laptop or other device, made it possible for the bad guys to get their hands on the data. Out of the 203 cases, 70 were due to the portability of the data.

There are other categories, but these are the top three. Here’s how the whole study broke down.

• 16% - process error

• 1.5% - fraud (bogus IDs and accounts)

• 36% - hacked

• 6.5% - inside job involving dishonest employees

• 1.5% - malicious intent

• 1.0% - involved compromised passwords

• 34.5% - involved portable devices

• 3.0% - cause not reported

The other factor involved is the type of institution involved in the breach. No one is immune. But some do a much better job than others in protecting their data.

Care to guess where most of this activity occurs?  By far the most frequently reporting victim type is the educational institution. Out of the 203, 75 (37%) of the reporting respondents were from educational institutions. A distant second-place finish belongs to financial institutions. Just like Willie Sutton, cyber thieves know where the money is.

The entire breakdown of business types follows:

• Aerospace - .50 %

• Communications – 1.0%

• Data Services – 1.5%

• Education – 37%

• Finance – 18%

• Government – 13%

• Healthcare – 6.0%

• Insurance – 5.50%

• Manufacturing – 2.5%

• Media – 1.0%

• Military – 1.50%

• Professional Organizations – .50%

• Retail – 4.0%

• Service Organizations – 1.0%

• Travel & Entertainment – 3.0%

• Utilities - .50%

• Unknown – 3.5%

I would have to say that I am not surprised about educational institutions coming in first in this area. But it still makes you wonder why. Security measures can be effective, so why are they not more effective in the education environment?  Fully 53 of the 73 (72%) entities hacked were educational institutions.

At first you might think, so what, who cares, it’s college stuff. Not so fast. These are not barber colleges I’m talking about here. These are high-end research institutions that are heavily involved in corporate- and government-sponsored research. There is a lot at stake when you consider the implications of your military, space-program and scientific research data being placed at risk.

Corporations working with research institutions would do well to require some standard in the area of data security. The same is true for government entities partnering with higher education. These institutions must be held accountable for the data in which they are entrusted.

But, before we get all smug about the academic types that are losing data, let’s go back and talk about the portable category in the first set of stats. What do we mean by portable?  Almost all of these involved stolen laptop computers. Who’s involved?  Some of the biggest accounting firms, biggest banks, sensitive government agencies, highest of high-tech manufacturers and just about everyone else.

Portability means we are putting our “corporate brains” into a small package. That package of brains can be picked up and carried off while you fumble around paying your bar tab at the airport. Thousands of sensitive patient records can be pulled off your shoulder while you walk down the street at lunch. You can lose your whole customer listing because you happen to doze off while seated at a bus stop. While you are waiting for a red light to change to green, someone can reach into your car and grab your marketing strategy for the next three years.

We need to get tough on what constitutes need in the corporation today. I see many people using laptops that probably really don’t need laptops. Let’s be real. Most people don’t need to take huge amounts of data anywhere. I had a boss who used to kid me about my brief case. He would always ask what are you taking home tonight?  He started to call it my Brooks Brothers lunchbox. It was funny, but he also knew what I was taking off premises.

I used to travel with a laptop back in the late ‘80s. I also carried a platen for projecting laptop screens via an overhead projector, and I carried a briefcase. The “coolness” of being one of the few guys on the plane with a laptop in that era quickly wore off. This stuff weighed a ton compared to today’s hardware. I would come home feeling like I was about six inches shorter on my right side compared to my left. Regardless, I had a demonstrable need to carry certain information with me around the country. This information was primarily composed of product training packages. Before, I was carrying tons of slides and transparencies. The laptop did liberate me.

Here are a few ideas for dramatically cutting down on data being “lost” or stolen from places where it probably did not need to be in the first place.

• Limit traveling laptops to those who have a demonstrable need. That does not include the convenience of taking work home. Banks don’t let money counters take the money home to count and corporations should treat their data like money.

• Re-architect systems that the apps reside on the desktop or laptop, but the data remains on the mainframe. Mainframe security is vastly superior to security available on a distributed system, tied into e-mail, strung out all over the planet, living on the wrong side of the firewall.

• Implement laptop security measures that are in line with the value of the data you are protecting.

- Frequently trade out and audit hardware assigned to specific individuals.

- Enforce the concept that the laptop is not for personal data.

- Copy-protect the content.

- Consider more radical measures such as self-wiping drives that only retain data for a few days.

- Get e-mail off the laptop and onto other portable devices such as BlackBerry units.

- Consider a traveling laptop pool. Machines checked out for a specific period of time to specific individuals. This can help alert the company to exposures much faster than waiting for an embarrassed VP to “fess up” that he lost the box in a casino.

• Physically destroy hard drives, pen drives and other portable memory when they are at their end of life.

• Educate people about the value of data. No one would leave a bag of money openly visible in an unlocked car.

A wise person once said, “Even paranoids have enemies.”  I think remembering that is the key to securing your valuable data and protecting it from the bad guys.

Be a little paranoid.

Please take our survey, we'll share the results with you.

About Lou Washington

Birthplace: Columbia, Missouri

High School: Hickman (home of the mighty Kewpies!!) Other famous Hickman alumni include Sam Walton and Ken Lay.

Military: The US Navy

College: Graduated in 1975 from the University of Missouri (home of the mighty Tigers!!). Other famous Mizzou alumni include not only Walton and Lay but also Brad Pitt and Sheryl Crow.

Professional Life: I started my career in information management from the somewhat misunderstood field of Records Management. Following four years of working for the University of Missouri System's Office of Records Management, I joined Tab Products Co. in 1980. Shortly thereafter, I became interested in the software business, PCs and how those systems would shape the enterprise of the future. We were transferred to Tab's then corporate HQ in Palo Alto, CA. I was the first Product Manager for Tab's Tracker systems software products that utilized a PC-based bar-coding system to track the movements of everything from files to capital assets. I believe it was the earliest example of workflow automation available on the market. I was also peripherally involved in Tab's Laser Optics division, which brought to market one of the earliest business systems employing CD-ROM and WORM technology as an information storage media.

In 1990, I returned to Cincinnati and joined Cincom Systems where I began to learn about and work with mainframe-oriented products and systems. In those days, there was a real "split" between the mainframe forces and the desktop proponents. I always found this to be amusing since both had so many positive things to offer an enterprise. I could never understand why anyone would offer one at the exclusion of the other.

My present role at Cincom involves a number of things including product security, pricing, finance packaging and industry research.

My wife, Barbara, and I reside in Park Hills, KY. I am a member of Blessed Sacrament Church and I am active in a local car club, Cincinnati Cruisers. We are a group of PT Cruiser owners who enjoy tricking out our cruisers and driving around annoying people who have to drive boring cars. I am the Webmaster for the Cruisers and I invite everyone to visit www.cincyptcruisers.com and check out our awesome rides! Barbara and I both enjoy photography, travel and our two four-legged canine children, Chloe and Cookie.

Copyright Cincom Systems, Inc. All Rights Reserved