(re) blog: dialogue with Redemtech

Everything from off-network security and reliable data destruction to privacy compliance and audit trail, offering insights and best practices to stand firm in a tidal wave of security threats.

Bullets flew in all directions. Thieves with rubber faces scattered and screamed. There was a symphony of breaking glass and maniacal laughter. And something sticky adhered to the bottom of my shoe. “Isn’t this great?” someone behind me murmured as I dislodged an old Milk Dud from my Puma. Spoken like a true modern-day moviegoer, I thought.

Hypothetically, let's say a financial services company suspects it has lost a couple of unencrypted computers, or more specifically, its auditors think they have. Under the law, they have an obligation to report such a loss.  When they check with their IT asset disposition vendor, none are missing, but two serial numbers don't match. Is it a privacy breach or just bad accounting?

In the IT industry, we tend to get so wrapped up in high-tech, high-concept notions about data and network security. We go through periods of rapture about the latest software fixes that are guaranteed to finally lock down our networks and prevent incursions from malicious intruders.

Last summer, Redemtech commissioned a study with the Ponemon Institute to explore the root causes behind data breaches that are providing so many companies with so much bad press. We initially suspected that the trouble begins when assets are disconnected from the network to move or retire equipment. The study was conducted with 735 security professionals from mid-size to large organizations, in both government and the private sector.

It didn’t receive a lot of play in the global news media, but some new research conducted by the University of Glamorgan in the UK, Longwood University in the U.S. and Edith Cowan University in Australia, found that hard drives sold on online auctions often contain significant traces of personal information.

Friends of mine lost nearly half of everything they own when their home was inundated by flood waters in the widespread Midwest deluge this summer. As they struggled to rescue what they could in the fast-rising waters, they left their computer behind. They had a surprise when they tried to salvage the PC, which had been submerged for days. They were able to retrieve presumably lost data from the hard drive.

Consumer confidence should be an increasing concern for businesses that are keepers of precious personal information. Information such as Social Security numbers, addresses, driver’s license numbers, or even credit card spending habits can give criminals the information they need to kill your credit score.

My level of disgust for the U.S. Department of Defense is at a new high. Being in the data security business where “DoD compliant” is good currency, I recoil at the mention of the DoD standard for anything. One thing I know - their standards are low. 

My company, Ponemon Institute, has been researching the issue of data breaches: the cost, the business impact, organizations’ response and what seem to be the most prevalent causes. Our latest research project was conducted to find out about loss or theft of data when off-network electronic devices are the target.

It’s easy to steal data—just walk away with it. Despite billions spent on IT security, the Ponemon Institute’s National Survey on the Insecurity of Off-Network Security has found that many corporations are failing to address the root cause of more than half of all data breaches: the loss or theft of data-bearing assets. The good news is that remediation of off-network security gaps, though not easy, can be straightforward.

DATELINE: Dallas Atoll, Aug. 21, 2027 – Security analysts today reported yet another case of stolen data from the identity chips implanted in more than 10 million U.S. citizens. Instead of the more common drive-by mega-hacking that has become common in larger U.S. cities such as New Surfside City, Nev. and the nation’s capital, Indianapolis Island, today’s theft occurred when an employee of MicroGooglezon inadvertently left his nanorobotic armtop computer behind at a McStarDonbuck’s restaurant.

Surfing the cable channels late one evening when I was unable to sleep, I came across an old movie I used to appreciate. War Games is a terribly technologically outdated film about a teenage computer whiz who mistakenly hacks into a military computer charged with monitoring the global nuclear landscape. Watching the movie 24 years after it was made, I was amused by a pre-Producers Matthew Broderick literally spending days trying to figure out a password to gain entry to what he thought was a computer game company.

While I routinely track and report offline data thefts and other security breaches as part of my job (see news bureau), I have to admit that the recent disappearance of a backup computer storage device with the names of more than 64,000 Ohio state employees, as well as names and Social Security numbers of about 75,500 dependents, caught me by surprise.

It’s good news that concern for data privacy has become a public priority for so many companies. Trouble is, if policy is crafted at the executive level and passed down to management for execution without a mandate for inspection and measurement of outcomes, a charade often results.