The proverbial act of placing all your eggs in one basket is finally rearing its ugly head within IT. We hear about a new security breach weekly – almost daily. The Privacy Rights Clearinghouse's A Chronology of Data Breaches is a great resource and reminder that bad things are happening to good people. It's one incident after another. Be it reported breaches or unreported database vulnerabilities uncovered during a security assessment, most businesses have a problem with information overload and it's creating unnecessary business risks.
Before a recent test drive at a car dealership, I was asked for my driver's license. Certainly a reasonable request, but the security spirit inside me had to ask what they do with the information after I leave. I found out they make a photocopy of the license but actually shred it after people leave the premises. Pretty responsible of them I thought. It doesn't mean an insider couldn't be skimming his own photocopies or that someone couldn't forensically retrieve the images off the copier's hard drive. I knew I had to snap back to reality. The practical businessman inside me figured that most people are decent, and odds are everything will turn out fine.
But what would the average business do when this same type of sensitive information is obtained electronically? Be it financial information gleaned during credit card applications, dates of birth used for marketing-related contests, or driver's license
numbers used for background checks – sensitive personal information is being taken in and stored in a database somewhere on the network. Sure sensitive information is needed in a lot of business scenarios, but I know it's not every time. It's especially not needed indefinitely, like what happens a lot of the time. Even if it's stored temporarily, there are backup tapes, virtual server images, and so on around the network that have potential for keeping this "temporary" sensitive information around indefinitely.
We have this mindset that information is gold and it must be captured and stored electronically. It's marketing at its finest. Get everything we can on everyone we come across. It may benefit the business some day after all, right? But at what cost?
Take a look at your organization's data retention process. Most businesses I see store everything indefinitely. It's easy and everybody's doing it. That still doesn't make it right. Just ask managers, IT staff, and lawyers working for organizations that have made it to the Privacy Rights Clearinghouse list due to a lost tape or hacked database server. Improvements can always be made and things can undoubtedly be handled differently.
Using simple risk analysis, it's obvious the more sensitive information a business captures and the longer it holds onto it, the greater the risk. It's time for most business managers to step back and look at the bigger picture. Does the business really need to capture the information it's capturing? Perhaps a more pointed question is: does the business need to keep that information forever?
Look at your business requirements and processes to see if they can be adjusted so sensitive information is avoided altogether or at least kept for a shorter and more definitive period of time. Try to get the right people involved and working together to find solutions to this growing problem. It'll reduce business risks, minimize database bloat and may even give your servers that extra little oomph you've been looking for.
ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He also created the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.