Data Loss Prevention - Essay Example

PROFESSIONAL ISSUES IN INFORMATION TECHNOLOGY DATA LOSS Introduction It seems to be very common nowadays that various companies, universities, and governmental organizations collect personal information, with or without the individual's consent, and leave it lying around for the wrong people to get their hands on. This information includes a person's name, address, telephone number, occupation, and may include valuable information like his credit card number, account number, and salary, which can prove to be extremely dangerous, if fallen into some wrong hands. This report investigates the causes of the growing number of incidents regarding personal data loss, demonstrates the heat of this problem through various examples, analyses the existing IT legislation and the need for improvement, and throws some light on the duties of the IT manager responsible for data control in different organizations. Research Case Studies Although the number of incidents regarding personal data loss would normally be expected to decrease due to the huge amounts of both financial and social losses incurred, it is still on the rise. According to Mary Monahan, a senior analyst at Javelin Strategy & Research, a Pleasanton research organization, 312 security breaches occurred in 2006 in the United States, giving away 20 million records, while in 2007, 446 security breaches occurred resulting in the exposure of 128 million records. Just last month, a laptop containing the personal information regarding the 51,000 present and former employees of Agilent Technologies of Santa Clara, was stolen from a car of Stock & Options Solutions of San Jose. The latter organization has since then raised its security level. (Javelin, 2008) Even though the number of security breaches grew by more than a hundred in the United States from 2006 to 2007, ironically, there was a slight decrease in the losses incurred due to these infiltrations. According to Mary Monahan, 8.4 million people suffered due to misuse of their personal information incurring losses totalling up to $51 million, while this figure fell to $45 million faced by 8.1 million people, in 2007. In order to avoid these frauds, various companies have adopted strict protective policies, and enhanced their security measures to a much higher level, but there are still a lot of organizations unconvinced of the significance of these security advancements. (Javelin, 2008) Not only the United States, but also the United Kingdom is facing similar problems. The huge blunder committed by the HM Revenue & Customs (HMRC) resulting in the loss of two discs containing personal details of 25 million people has been a hot topic for the last few months, as several experts are considering it as the biggest data loss in history. Reports say that the CDs contained personal information including the names, residencies, dates of birth, and bank details of more than 7 million families acquiring child benefits. It has been disclosed that on the 18th of October, two encrypted CDs containing the preceding information were couriered unregistered by a junior officer at HMRC, to the National Audit Office (NAO), where they never arrived and have not been traced since then. Although no evidence has been found indicating that the CDs have fallen into the wrong hands, banks are still told to monitor all transactions looking for any suspicious activity. (McCue, 2007) The governmental organizations had gone so easy on their security that this was the third major security breach within the last month. The previous ones include the theft of a laptop, containing information of bank customers, from the boot of an HMRC official; and the loss of two CDs during a courier hired by the HMRC, exposing the Identities of 15,000 Standard Life Insurance customers. (McCue, 2007) Cost of Security Breach In a survey of 9,000 people by the Ponemon Institute of United States, it was discovered that almost 12 percent of them had received warnings of data breach from at least one organization that they did business with. 20 percent of the clients affected by the security breach instantly ceased doing further business with the company, resulting in an average loss of about 2.5 percent of all customers. (Krebs, 2005) Another study showed that average cost facing a company due to a security breach is $14 million, which includes cost of investigations, legal defence fees, client notification costs, financial blow due to loss of customers, etc. If the affected organization does not notify its clients immediately and in an appropriate manner, it is four times more likely to lose its clients than otherwise. In addition, a company is three times more likely to lose its clients if it notifies them through a business letter or email instead of personally calling them or sending personalized letters. (Krebs, 2005) Looking at these facts and figures, it is high time that companies understand the significance of an updated security programme that prevents losses to both its financial state and reputation. Causes Computer viruses are considered to be the major cause of data loss, but studies show that human error is responsible for most of the incidents. A global survey carried out by American Business Research Corp. in September 1999 revealed that 88 percent of the NT system managers questioned blamed human error for the problem. It was only 3 percent of the managers that considered viruses to be more harmful. (Lahey, 2000) Accidental loss of data occurs when employees delete vital information without realizing that he is working on a network, where the data cannot be recycled. The analysis of the survey's results by Computer Associates (CA) proved that accidental erasure of data is 30 times more harmful relative to computer viruses, making them the major cause of data loss. (Lahey, 2000) Each year, organizations suffer losses in a total of half a billion U.S. dollars leaving accidental erasure to be responsible for the other $15 billion. Although companies have a reasonably budgeted anti-virus programme, many fail to understand the significance of accidental erasure, or even intentional deletion of sensitive corporate data, and therefore have no safety precautions regarding this kind of data loss. (Lahey, 2000) Along with the previous results, it was also discovered that 81 percent of the system managers questioned were basically in charge of security of the corporate data. Although light was shed on backup programmes, it was not universally considered to be the best solution as almost half of the candidates did not trust in backup's reliability. This uncovered that almost all the system managers had experienced backup failure one time or another. (Lahey, 2000) In the early 2007, the IT Compliance Group launched a research report, which gave a more recent insight into the data loss problem. The report stated that around 20 percent of the organizations in the United States experience 22 or more security breaches in a year. The key sources through which data is stolen, breached, or destructed are PCs, laptops and other mobile gadgets, email, instant messaging, applications, and databases. (CNET, 2007) Results of the research demonstrate that companies facing minimal problems regarding data losses practise consistent identification of user errors, policy violations, and online attacks, and regular checkups of the IT data control processes (CNET, 2007). Hence, it is quite clear that a company experiencing frequent incidents of data loss faces the primary problem of employee errors, whether the data lost is though computer or physical mishandling. Apart from the above-mentioned two main causes of data loss, several minor computer problems are also often responsible for security breaches. These include hardware or system malfunctions due to electricity failure, software corruption caused by repair tools, failed backups, or sophisticated configuration, and natural disasters like fires and floods. (Protect Data, 2004). Spontaneous data corruption is also often responsible for destruction of data or its total loss. It is usually caused by electricity problems, improper shutdowns due to loss of electricity or untrained employees, hardware problems like the presence of bad sectors in hard disks, dissembling of hardware devices like hard disks and USBs before turning off the power or disabling them through windows, and faulty programming. Any of the above-mentioned factors can lead to the corruption of a hard disk and thus eventually destruction or loss of sensitive data. (X Lab, 2008) Another universal problem that is indirectly responsible for the increasing incidence of data loss is the absence of an appropriate IT legislation. Without a proper set of rules and regulations regarding data storage, the data is saved and transferred haphazardly through the organization's computer network, resulting in its loss or destruction during the process. An organized storage of corporate data would significantly reduce the data loss occurring due to its misplacement. Although the technology to avoid data loss exists, the law to make it available has not yet passed. Prevention In order to avoid the consistent financial loss through data loss, measures must be taken to eliminate the roots of the problem, that is, causes that lead to security breach. The primary form of security that prevents loss of corporate data is, the employees who are handling it. Organizations should regularly introduce new and advanced policies regarding the handling, security, and retention of data, including accountability procedures in cases of data loss. Preventive steps such as the existence of built-in IT controls are also necessary in order for the companies to secure the data they acquire. This measure should be the first and foremost priority regarding network security, and so should be installed along with the hardware and software so that each and every piece of detail throughout the computer's lifespan. Organizations with a few incidents of data loss monitor their IT networks monthly, while companies with fewer security breaches practice weekly examinations. (CNET Networks, 2007) A few recommendations given by the IT compliance group in order to improve a company's data security level are given below: Identification of the company's most sensitive data in a timely fashion. Proper training of employees and application of updated technology to reduce human errors, policy violations, and online attacks. Regular monitoring of data control processes to ensure compliance. Increased regularity of Information Technology auditing, a procedure that refers to the acquirement and examination of details regarding a company's IT infrastructure, including information systems, practices and operations. The procedure determines whether the IT system of the firm is protecting assets, maintaining data integrity, running soundly in order to achieve the organization's aims. (CNET Networks, 2007) Software giants like Symantec and Software Engineering of America (SEA) are recently in play to reduce the data losses incurred by the various organizations. Symantec launched the DLP solutions while SEA launched the Cyber-crime Warning Alert Termination (CWAT). Both these softwares are designed to perform three basic tasks (Ansanelli, 2008) (SEA, n.d): In-depth data inspection. Automated security of sensitive data across the workstation, network, and storage systems. Incident response workflow to enable counteractive action with users. Prevention of the minor factors responsible for data loss is also vital for the smooth running of an organization. Following are some measures that aid in the prevention of data breach (Protect Data, 2004); (X Lab, 2008): Hardware and system malfunctions can be prevented by keeping computers in a dry place, and using Uninterrupted Power Supply (UPS) to counter power failures. Software corruption can be avoided by backing up data regularly and using repair tools with caution. Viruses can be avoided by using an effective anti-virus programme, and scan all incoming and outgoing data. Effects of natural disasters can be avoided by backing up data in an off-site place. Data corruption can be overcome by applying a reasonable Backup and Recovery solution, and using it regularly. Furthermore, Information Technology is a system that updates with the second. Hence, it is mandatory to regularly update a company's security level in order to avoid any6 incident of data loss. Although IT advances rapidly for both, the cyber-criminals and the victims, only the criminals are able to avail this technology as IT legislation restricts the victimized company to do so. Therefore, alteration in IT legislation is necessary so that organizations use their maximum potential to counter security breaches. Role of IT Manager This person is one of the most valuable employees of a company as he is responsible for the whole IT infrastructure of the firm. He needs to monitor all the running operations in a timely manner and analyse any form of suspicious activity. Nowadays, cyber-crime is the most common method to infiltrate into an organization's data storage; therefore the IT manager is held responsible for any mishap in IT networking. Not only on the outside, but also the internal operations run by the employees are under observation of the IT manager in order to trace any accidental or intentional deletions by the users, who are eventually held accountable. Conclusion After examining the previously mentioned case studies of security breach, and the major causes of the rapidly rising number of incidents of data loss, it is clearly mandatory for any firm, no matter how small-scale, to take safety precautions before any sensitive data is lost and the company is hit hard financially. It is high time that organizations all around the world realize the importance of corporate data protection and avoid bankruptcy! WORD COUNT: approx. 2,200. References 1. Ansanelli, Joseph. (24 March 2008). Data Loss Prevention: Where Do We Go From Here [Internet]. Available from: Help Net Security http://www.net-security.org/article.phpid=1123 [Accessed 24 April 2008] 2. CWAT. (n.d). Software Engineering of America. [Internet]. Available from: http://www.seasoft.com/insider-threat.asp [Accessed 24 April 2008] 3. Data Corruption & Loss: Causes & Avoidance. (2008). The X Lab. [Internet]. Available from: http://www.thexlab.com/faqs/datacorruption.html [Accessed 24 April 2008] 4. Krebs, Brian. (14 November 2005). Counting the Cost of Data Loss. [Internet]. Available from: The Washington Post http://blog.washingtonpost.com/securityfix/2005/11/counting_the_cost_of_data_loss.html [Accessed 24 April 2008] 5. Lahey, Liam. (14 January 2000). Human Error, the Leading Cause of Data Loss. ITWorld Canada. [Internet]. Available from: http://www.itworldcanada.com/a/ComputerWorld/fa23ee29-5f9a-43c4-b364-d5567a873f9b.html [Accessed 24 April 2008] 6. Loss of Personal Data on Rise. (25 March 2008). Javelin Strategy & Research. [Internet]. Available from: http://www.javelinstrategy.com/2008/03/25/loss-of-personal-data-on-rise/ [Accessed 23 April 2008] 7. McCue, Andy. (20 November 2007). Missing: 25 million Child Benefit Records. Digital Defences. [Internet]. Available from: CNET Networks http://www.silicon.com/research/specialreports/digitaldefences/0,3800014341,39169217,00.htmr=5 [Accessed 24 April 2008] 8. New Research Shows User Errors the Leading Cause of Data Loss. (March 2007). BNET Business Network. [Internet]. Available from: CNET Networks http://findarticles.com/p/articles/mi_pwwi/is_200703/ai_n18708262 [Accessed 24 April 2008] 9. Statistics about Leading Causes of Data Loss. (2004). Data Backup Services. [Internet]. Available from: Protect Data http://www.protect-data.com/information/statistics.html [Accessed 24 April 2008] Read More