They can't steal data that you don't have

By Alan Brill and Jason Paroff, Kroll Ontrack

April 6, 2005 12:00 PM ET

Recommended

(4)

Digg

Twitter

Share/Email

Computerworld - Data theft has become big news in recent weeks. Between data lost or stolen from Bank of America, ChoicePoint and a unit of Reed Elsevier, the public (and more importantly, Congress) is up in arms about the protection of personal and financial data that can be the subject of massive identity thefts.
Data loss is, of course, nothing new. In our work, we are frequently called upon to investigate these incidents and to find out what happened and who was involved.
Any competent information security professional will tell you that there is no such thing as 100% incident prevention. Incidents happen and will continue to happen. But there are things an organization can do to mitigate the risks of certain types of incidents, as well as the damages if an incident should occur. Failure to examine and mitigate these risks will increasingly expose companies to bad publicity, increased regulation and perhaps costly litigation.
When you look at a lot of incidents, as we do, you can start to draw some conclusions that go beyond the specifics of a particular situation -- whether the loss involved theft of a backup tape or unauthorized intrusion into a system or whether the perpetrators had inside help in carrying out their plans.
We have observed that some of the sensitive data that gets stolen fits into one of several categories:

Data that was never needed

Data that was needed but should never have been stored

Data that was originally needed but was kept far beyond its useful life

Data that should never have been stored in an unencrypted form

When we point out these issues to the victims, it seems that they never thought about these problems. We want to take a few minutes to explore them with you.
Data that was never needed
When you look through the data that you record on customers, transactions, employees and processes, when is the last time you checked each and every data field to determine why you needed it?
If you collect information that you don't actually need, not only are you spending money needlessly, but you're also opening yourself up to the risk that the unneeded data might be stolen or misused. You should look for a specific reason for collecting everything you ask for. If you can't define a valid business need or some legal or regulatory requirement for the data, why are you collecting it?
Sometimes we're told that the current system mirrors an earlier system that collected the same information, and no one realized that some

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Security

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

White Papers & Webcasts

Informatica 9 Launch: Transform your Business. Transform your world.

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Connecting to the Cloud with F5 and VMware VMotion
F5 and VMware partner to enable live application and storage migrations between datacenters and clouds, over short or long distances.

Data Protection is not an insurance policy -you cannot buy-back lost data
Find out why you need to maintain access to critical information to run your business and remain competitive.

SiliconFS - The BlueArc Filesystem
Learn the power of the BlueArc family of products to enterprise storage management features, providing real value for its customers.

Strategic ECM Webinar
Learn what new strategic business benefits can be realized through ECM!

Enabling Enterprise Class Features for the Mid-Range
Learn how BlueArc's new storage platform, BlueArc Mercury™, scales in fixed increments that make it easy to install and deploy, scales up to...

Rethinking Business Continuity and High Availability in Storage - HP and Forrester Pre-Recorded Webcast
Download it.

Tabor Research: NFS Evolution Changes the Landscape of HPC Data Management
A hybrid file system combining the benefits of standard NFS and the performance and scale of parallel file systems.

5 Architecture Issues that Impact BES performance
Register to attend this LIVE Webinar to learn 5 Architecture Issues that Impact BES performance!

Intelligent Tiered Storage: BlueArc's Implementation
This ESG White Paper discusses the importance of tiered storage, examines BlueArc's approach to intelligent tiering, and shows how it creates operational value...

Four Principles for Reducing Storage TCO
View cost reduction strategies in this video! Provided by Hitachi Data Systems.

All White Papers | All Webcasts