Are You Protecting Your Data With a Screen Door?
ByWell, you probably heard about the Educational Credit Management Corp (ECMC) data theft on March 21st of a media device that stored the student loan information of 3.3 million individuals. While this theft could be devastating to the individuals – depending on who stole the information and what they do with it – it is already a major expense for ECMC. Here are just a few costs they can expect:
• Bad press
• Government investigations and fines
• Credit monitoring services to the victims
• Law suits and legal services
• New security technologies and policies to implement
• And then, how productive will employees be with all these changes being implemented.
It is ironic that this theft is going to cost ECMC millions of dollars in direct and indirect costs when there are solutions available for under $100 per user. My intent is not to add more blame onto ECMC, but rather to give a wake up call to other companies about data theft so they can learn from this incident. With the average cost of a data breach now reported at $6.7 million per incident, your company can’t afford to sit back and think this will never happen to me.
First, all data needs to be encrypted. There are programs like SafeHouse that are inexpensive and can encrypt data stored on hard drives, memory sticks, CD-ROMs, etc. If it can store data, it can be encrypted. But encryption is only one part since many of these programs requires a password to decrypt the data. Most people – left to assign a password – will use something easy, repeat something used elsewhere, or write down the password on a sticky note by their computer. Any one of these acts defeats the security of encryption.
Second, by adding a smartcard based password manager, now the data safeguards are elevated exponentially. Because the smartcard can store a complex, 20-charater long password that no one has to remember or type, key loggers can’t pick up the passwords and a brute force attack will be too time consuming to make it a viable attack. With the smartcard protected by a limited number of acceptable false entries and with card data encrypted, a lost or stolen smartcard is useless unless someone knows the PIN. Finally, the combination of data encryption plus smartcard implements what I call the “Seven Levels of Assurances”:
• Something you have – The card
• Something you know – The PIN to the card
• Something you are – Fingerprint, iris, biometric
• Something the card has – Account URL’s, passwords, user names, etc.
• Something the card knows – The card’s decryption keys
• Something the card is – Chip Specific Serial Number (CHUID)
• Something the card knows about you – User’s Classification Code
No single technology or solution will protect any company 100% from a potential data theft. The goal of any security officer is to put in enough barriers that drive the would-be attackers to find easier prey, while at the same time maintaining user convenience so they don’t circumvent security with bad practices. The use of firewalls, anti-virus software and secure logon policies are necessary, but these alone are no longer sufficient to comply with the many new privacy protection laws. As businesses add high tech safes to safeguard their data warehouses, frequently the strength of the lock is overlooked. Don’t install a screen door to protect your data vault.
