They can't steal data that you don't have

By Alan Brill and Jason Paroff, Kroll Ontrack

April 6, 2005 12:00 PM ET

Recommended

(4)

Digg

Twitter

Share/Email

Computerworld - Data theft has become big news in recent weeks. Between data lost or stolen from Bank of America, ChoicePoint and a unit of Reed Elsevier, the public (and more importantly, Congress) is up in arms about the protection of personal and financial data that can be the subject of massive identity thefts.
Data loss is, of course, nothing new. In our work, we are frequently called upon to investigate these incidents and to find out what happened and who was involved.
Any competent information security professional will tell you that there is no such thing as 100% incident prevention. Incidents happen and will continue to happen. But there are things an organization can do to mitigate the risks of certain types of incidents, as well as the damages if an incident should occur. Failure to examine and mitigate these risks will increasingly expose companies to bad publicity, increased regulation and perhaps costly litigation.
When you look at a lot of incidents, as we do, you can start to draw some conclusions that go beyond the specifics of a particular situation -- whether the loss involved theft of a backup tape or unauthorized intrusion into a system or whether the perpetrators had inside help in carrying out their plans.
We have observed that some of the sensitive data that gets stolen fits into one of several categories:

Data that was never needed

Data that was needed but should never have been stored

Data that was originally needed but was kept far beyond its useful life

Data that should never have been stored in an unencrypted form

When we point out these issues to the victims, it seems that they never thought about these problems. We want to take a few minutes to explore them with you.
Data that was never needed
When you look through the data that you record on customers, transactions, employees and processes, when is the last time you checked each and every data field to determine why you needed it?
If you collect information that you don't actually need, not only are you spending money needlessly, but you're also opening yourself up to the risk that the unneeded data might be stolen or misused. You should look for a specific reason for collecting everything you ask for. If you can't define a valid business need or some legal or regulatory requirement for the data, why are you collecting it?
Sometimes we're told that the current system mirrors an earlier system that collected the same information, and no one realized that some

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Security

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.