No business should operate today without a solid plan for the security of data on mobile devices, networks and applications. Case in point:
- Back in 2000, the CEO of Qualcomm, Irwin Jacobs, had his laptop computer stolen right off the podium where he had just finished speaking. Jacobs later admitted that the computer contained sensitive information that could be of great value to "foreign governments." Given the venue, it's pretty clear this particular laptop was targeted by professionals and stolen for what it contained, not just as a commodity to be fenced by common thieves.
- The Veterans Administration announced in 2006 that an employee of Unisys lost a computer that contained insurance claim data, including social security numbers, for approximately 16,000 individuals. Presumably, this computer was stolen for quick resale, and the data on it was not in this case the target of the theft --– but no one can be sure that the data was not misappropriated.
- The hackers who stole the personal information of more than 45 million credit and debit card users from TJX Corporation in 2005 and 2006 used weak Wi-Fi security as their portal into their quarry. This breach, which could easily have been prevented, cost TJX hundreds of millions of dollars and an untold loss of confidence from investors, regulators, suppliers and customers.
Sad events such as these are all too common. This might sound a little extreme, but I personally find it positively criminal that such fundamental security failures arise when relatively simple and very effective countermeasures exist today – and that senior managers haven't addressed these obvious risks not just to information security but to the business or enterprise (or even government) itself.
And IT security just isn't that hard. Technically speaking, the core of any good security solution includes the following:
- Strong authentication --– Users need to authenticate with their devices, and devices need to be authorized individually for network and application access. I like strong, two-factor authentication -- for example, using fingerprint scanners built into mobile devices -- but even a password or PIN code is a good start.
- Data encryption --– Every security policy needs to specify that all sensitive data will be encrypted -- both on mobile devices and on network servers -- and available in the clear only to authorized users. No exceptions!
- Virtual private networks (VPNs) --– Sensitive data must never appear in the clear while being transmitted across any network, whether wired or wireless. VPN technology to meet this requirement is cheap, readily available, and working in countless venues today.
So, since it's so easy to build effective, usable security solutions, how come we still have problems like those noted above? Part of the answer here is a lack of education. IT, by its very nature, can be complex; and, especially with respect to security, one can never declare that a given solution is "done." Effective security requires a commitment to staying up-to-date on both the constantly evolving threats and new solutions to them.
But a bigger problem is the lack of what I like to call a culture of security in most organizations. Culture, of course, is about the (sadly, usually unwritten) rules about how one relates to others within a society or organization – beliefs, customs and procedures. Good enterprise information and network security, however, require written rules (a security policy at a minimum), education and training, and, again, a commitment to establishing and maintaining effective solutions. And this culture of security must start at the highest levels of the organization, from the CEO and board of directors on down. This is, I must report, the only way to build effective IT security into enterprise operations.
OK, that's the problem. Next time we'll look at the incentives and key operational elements available to senior management in the pursuit of effective IT security. And we'll close this series with a set of recommendations that aren't hard to follow and are designed to assure the folks at the top that IT security won't be constantly at the top of their to-do lists.