Massive data breach puts VA's IT policies under a microscope

Theft points to need for tight safeguards for data, IT execs say

Tim O'Pry, his wife and his son are all veterans, and they're among the 26.5 million vets whose personal data was stolen this month from the home of a U.S. Department of Veterans Affairs employee. What O'Pry has a hard time understanding as an IT professional is why the incident happened when technology and process controls are widely available to mitigate such risks.

"Why the hell was someone allowed to have all that data at home?" asked O'Pry, who is chief technology officer at The Henssler Financial Group in Kennesaw, Ga. "Surely, they must have had policies and procedures to prevent that. If they didn't, why not? And if they did, what sort of checks and balances did they have?"

O'Pry's sentiments were echoed by several other IT managers in the wake of the VA's disclosure last week that "electronic data" containing the unencrypted names, Social Security numbers and birth dates of all U.S. veterans discharged since 1975 was stolen during a burglary at the Maryland home of a data analyst who works for the agency.

VA officials said the analyst had legitimate access to the data at work but wasn't authorized to take it home. The agency didn't specify what kind of IT equipment was stolen, but the FBI and the VA inspector general's office jointly identified it as a laptop and an external hard drive.

The theft is one of the biggest data breaches reported thus far. But aside from its massive scope, the incident at the VA is no different from countless other compromises, and it points to a continuing failure by many organizations to implement well-understood controls on data transmission, access and storage, IT managers and security analysts said.

"What it comes down to is information life-cycle management," said Robert Garigue, chief security executive and vice president of information integrity at Bell Canada in Montreal. Far too often, companies focus solely on protecting their technology infrastructures, to the exclusion of ensuring that the information stored within them is safe from being illegally accessed or compromised, Garigue said.

The lack of attention paid to protecting data is especially dangerous because of the widely distributed nature of corporate information and the myriad ways in which it can be accessed, he added.

"I don't know if anybody can honestly say they have thought of every single way someone can pilfer data," O'Pry conceded. But it pays to put controls around some of the more obvious ones, he said.

One of the simplest steps is encrypting sensitive data on all removable and archival storage media to protect against compromises if devices are lost or stolen, said Eric Beasley, an IT security manager at a bank in the Midwest that he asked not be named.

The VA "should have made it so easy and inexpensive for employees to encrypt data on their PCs and have had such a high penalty for not doing it that everyone would have [complied]," said Alan Paller, director of research at the SANS Institute, an IT security research and training firm in Bethesda, Md.

O'Pry said that restricting the ability of end users to attach removable media, such as USB thumb drives, external hard disks, and DVD and CD burners, to their systems is another relatively straightforward way to lessen the risk of information leaks. "Every company faces removable media issues," he noted.

In addition to adopting such restrictions, Henssler Financial has installed network filters to ensure that sensitive information isnt leaking out in e-mail messages or chat sessions and other peer-to-peer applications, O'Pry said.

The financial services firm is also using a database auditing tool from Acton, Mass.-based Lumigent Inc. to monitor database activity and alert administrators to suspicious activity such as someone trying to download unusually large amounts of data.

Locking down a network against external attacks alone does little to protect enterprise data against accidental and malicious compromises from insiders, said Lloyd Hession, chief information security officer at New York-based BT Radianz, which provides telecommunications services to the financial industry.

In environments where end users can get access to huge databases containing confidential information, there have to be many checks and balances in place, Hession said. Equally crucial is the need for security education and training, he added.

Lapses such as the one at the VA often happen because end users simply don't know how to handle sensitive information, according to Hession. "The No. 1 tool really is awareness," he said.

Download the 2018 Best Places to Work in IT special report
  
Shop Tech Products at Amazon