Protect the information - from yourself and your collegues
Security Information Week 22, 2006
Introduction
In the beginning of May this year information about more than 26 million US veterans was stolen.
Take a moment to consider that number - 26 million - this is more than the entire population of Switzerland and the Netherlands combined, and almost 10% of the entire population in United States of America!
The theft is under investigation but some information is available:
- The data included names, birth dates, Social Security numbers (and also in some case’s spouse’s information, and some disability ratings).
- It is not believed that the crime was aimed at stealing these records in particular.
- The information was stolen from the home of a Department of Veterans Affairs employee.
- The person who had brought the information to his/her home was not authorized to do so.
From a specific case to generalization
What lessons - if any - can can be learnt from this incident?
Let us examine the four items mentioned above to see if we can make some generalizations which can be useful in other circumstances as well.
1. Systematized personal information
Computers and storing data electronically have made it possible to be able to store, systematize and analyze huge amounts of data in a minimum of physical storage space and a minimum of time, compared to what was the issue just a few decades ago.
This has obvious advantages, that we all benefit from each and every day.
However, there are also dangers involved. Just to mention a few of those:
- Huge amounts of data stored on a tiny device is easier to move (to use a generic word) than a room or a building full of papers.
- Combining and analyzing data from different sources may reveal a lot of information about an individual. Such information may be used in identity theft.
- Most people feel that they have a need and a right to have some private life. The potential and practice to collect our electronic footprints are restricting this privacy.
2. Finding a treasure by "accident"
Computers in general and portable computers in particular are "popular" objects for a burglar.
Even thought the thief's intent was to steal the computer itself, it may turn out that information stored on the computer is immensely more valuable than the comptuter itself.
3. The danger of remote working
Remote working is getting more and more popular. However, it is a sad fact that the random employee's home is normally much less secure than the corporatation. This applies to physical security as well as to securtiy related to computing (less tight firewalls, computers not following the same patching schemes, outdated antivirus software etc.).
A corporation should take facts like this into consideration when introducing remote computing, and set up systems to enforce the risk acceptable for the corporation.
4. Policy infringements
As the particular case that was this Security Information's trigger shows: an organization's policy itself may not be sufficient protection of your valuable information. Employees do not always comply with the policy for several reasons (work has to be taken home in order to be able to meet the time limits set, the policy makes the working procedures too cumbersome, one forgets what the policy says, etc.).
In some cases it may be necessary to enforce the policy by physical or logical devices in addition to the policy itself.
Summing up
The case where information about milllions of US veterans has fallen in the wrong hands, may be an extreme incident regarding numbers. However, as a principle it is not unique, and it emphasizes the need for protection of information, not the least from your own personnel.
More information
More information about the theft of the Veteran affairs data is available from various news sources on the Internet and from The U.S. Government's Official Web Portal here (opens in separate browser window).
