07.28.11Ernest Hayden, Managing Principal, Verizon Business

Article Viewed 2157 Times
0 Comments

In the April/May 2011 edition of Intelligent Utility Magazine, there was an interesting article about the Salt River Project electric utility and its focus on data loss prevention -- otherwise called DLP. The key points raised by the article were primarily focused on recognition that risk management is a necessary practice in order to protect data and that the author noted that "It takes constant vigilance" -- something I heartily agree as a former Chief Information Security Officer.

But really, just what does this really mean? Well, let's take a look at some interesting financial data that will open your eyes.

Imagine I have a 128MB USB drive that is unencrypted and is a handy tool for me to move files between work and my personal home computer. And because I work in Human Resources I have access to many personnel files as part of my job. Today I have a special project that requires me to download the personnel information of 1,000 employees onto a spreadsheet that I save on my personal USB drive.

Cool, right? Well, not really.

As I ride light rail home I forget and leave my small tote bag on the train. Unfortunately I don't realize it until late Sunday afternoon. Is this a problem? Yes it is!

First of all the USB drive is not encrypted. So, the data can be read and copied very easily. Secondly, the data on the USB drive includes personnel information -- you know, names, social security numbers, drivers license numbers, home addresses, emergency contact information, etc. Approximately 47 states in the U.S. have data breach laws that require notification of the affected personnel should their unencrypted data be lost/stolen and it contains names plus social security numbers or drivers license numbers or credit card numbers.

Houston, we have a problem.

How much can this mistake cost? The actual numbers vary based on how effective the company response is to the data breach as well as how quick the affected individuals are to sue your company for negligence. The Ponemon Institute -- a data security think tank -- annually calculates the estimated cost of a record's loss or theft. Most recently Ponemon said that the average cost is $214 per record.

Therefore, using the Ponemon estimate, we can assume that the data breach caused by loss of a simple USB drive would be around $214,000

.

That is substantial! This does not include the reputational loss to the company nor does it include the other costs associated with emergency response by the HR and Legal teams, police depositions, etc.

So, yes, you need to be more vigilant to prevent these types of events -- however, here are some key actions to consider in this case:

1. Identify and categorize corporate data that must be protected at all times i.e., personnel records, trade secrets, contracts that would benefit the competition if stolen, etc.

2. Prevent and disallow unencrypted transport of key, corporate data that needs to be protected. If you need to move sensitive data to another organization outside your enterprise then use means to encrypt and track the data being transmitted.

3. Do not permit sensitive corporate data on personal computers or portable devices such as USB drives, CDs, diskettes, personal cell phones, etc. Think of the scenario that would occur if the person's own home computer was stolen -- what would the enterprise do about the loss of their data? Sue the employee? It could happen.

4. Have a cyber incident response policy and practice it often. Ensure the team members know what to do and how to react. Be sure to include the usual players from information technology and information security but don't forget key managers in legal, human resources and public relations.

5. Educate the employees on these new requirements and be sure to educate them on the impacts of simple errors that involve sensitive data. Understand the consequences and the costs.

Protecting the corporate data is not an easy task and yes, it involves all employees, contractors, and third party vendors.

We know you have something to say!

There is an immediate need for articles on the hot topics in the Power Industry! EnergyPulse, like no other publication, also provides a means for our readers to immediately interact with experts like you.

Contribute Today!

Please view our Author Guidelines and send submissions to the editor.

Do you agree or disagree with this article? Send in your own article.

Add your comments:

Please log in to leave a comment!

back to top