Historically, companies found it relatively easy to protect data stored as hard copy. Then along came computers and the advantage shifted to the adversary. But the range of adversaries was relatively confined, since there had to be a clear objective in targeting corporate sensitive information – it had no value to the average criminal.
Now the landscape has changed dramatically with the computerisation of personal private (employee and customer) data, and the concerted efforts by organised criminal gangs to get their hands on it. Credit card details, home addresses, national insurance numbers are all being targeted.
Sold on, such data can cause huge damage to individual victims. At the “basic” end of the scale credit cards details can be sold on to fraudsters. At the more sophisticated end of the scale entire identities can be cloned for the purpose of gaining credit with banks, or financing activities such as gambling. Recently, a victim lost both his family and job after his identify was cloned fraudulently from an on-line shop and used to access child pornography websites. It was month’s before the police cleared him. And there are estimated to be thousands of innocent victims in the UK not aware that they have an illegal "twin"!
Wall Street Technology online magazine has recently published five basic steps that companies should take in order to manage this risk. In brief they are:
1. Establish policies. Companies must put in place policies that define authorized and unauthorized access to sensitive data.
2. Provide training. "You have to train employees as to what's acceptable and unacceptable, and what kinds of things are just considered bad practice, such as leaving spreadsheets on an unattended file server."
3. Enforce policies with technology. Many companies have policies but they don't have a way to enforce them.
4. Institute oversight processes. You have to make sure that if you're creating audit reports and generating real-time alerts that there's an established process to review these exceptions and address them.
5. There must be high-level support for data security to be effective.
Data security is covered in detail during Security Management Stage 1, 17-28 November. Full details of this course, which has been attended by hundreds of security managers from almost as many countries, can be found at http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1.