They can't steal data that you don't have
Computerworld - Data theft has become big news in recent weeks. Between data lost or stolen from Bank of America, ChoicePoint and a unit of Reed Elsevier, the public (and more importantly, Congress) is up in arms about the protection of personal and financial data that can be the subject of massive identity thefts.
Data loss is, of course, nothing new. In our work, we are frequently called upon to investigate these incidents and to find out what happened and who was involved.
Any competent information security professional will tell you that there is no such thing as 100% incident prevention. Incidents happen and will continue to happen. But there are things an organization can do to mitigate the risks of certain types of incidents, as well as the damages if an incident should occur. Failure to examine and mitigate these risks will increasingly expose companies to bad publicity, increased regulation and perhaps costly litigation.
When you look at a lot of incidents, as we do, you can start to draw some conclusions that go beyond the specifics of a particular situation -- whether the loss involved theft of a backup tape or unauthorized intrusion into a system or whether the perpetrators had inside help in carrying out their plans.
We have observed that some of the sensitive data that gets stolen fits into one of several categories:
- Data that was never needed
- Data that was needed but should never have been stored
- Data that was originally needed but was kept far beyond its useful life
- Data that should never have been stored in an unencrypted form
When we point out these issues to the victims, it seems that they never thought about these problems. We want to take a few minutes to explore them with you.
Data that was never needed
When you look through the data that you record on customers, transactions, employees and processes, when is the last time you checked each and every data field to determine why you needed it?
If you collect information that you don't actually need, not only are you spending money needlessly, but you're also opening yourself up to the risk that the unneeded data might be stolen or misused. You should look for a specific reason for collecting everything you ask for. If you can't define a valid business need or some legal or regulatory requirement for the data, why are you collecting it?
Sometimes we're told that the current system mirrors an earlier system that collected the same information, and no one realized that some


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Enabling Remote Employees with High Quality Video
- In this paper, we analyze the delivery of live and on-demand mobile video content. It focuses on specific ways in which organizations can...
- Traditional Backup is Dead - Are You Prepared?
- Conventional backup and recovery approaches are not robust enough to meet today's data and information management challenges, let alone those of tomorrow. A...
- Redefining Backup & Recovery: A call to CIOs
- Re-evaluate your data management strategy and embrace new ways to store, access and protect your data through virtualization and cloud computing - all...
- CIO Guide to Virtual Server Data Protection
- Server virtualization is changing the face of the modern data center. CIOs are looking for ways to virtualize more applications, faster across the...
- Gartner Newsletter: Traditional Backup
- It's no secret that today's unprecedented data growth, datacenter consolidation and server virtualization are wreaking havoc with conventional approaches to backup and recovery.... All Gov't Legislation/Regulation White Papers
- Redefine Expectations in the Data Center
- Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three...
- BMC Control-M - Single Point of Control Demo
- With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's...
- Operational Analytics - Changing the Competitive Dynamics of the Business
- Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC
Please join us for this webcast, as Dr. Barry... - A Geek's Guide to Presenting to Business People
- Live Webcast: Wednesday, June 20th at 1:00 PM EDT
Join this live webinar with Paul Glen, author of Leading Geeks, to learn how to... - Today's NAS: A Solution Beyond Old Limits
- Date: Tuesday, July 17, 2012 2:00 PM EDT
Traditional NAS systems don't scale beyond fixed limits. Proliferation of NAS systems leads to management...
All Gov't Legislation/Regulation Webcasts