There are two basic ways that data breaches occur: Deliberately (where someone, within or outside an organization, intentionally and maliciously accesses the organization’s sensitive data), or accidentally. Within the “accidental” category, data breaches occur either by failing to follow procedures or by failing to implement and use technical safeguards. An effective data security plan incorporates both procedural and technical elements to prevent accidental data breaches.
A recent report by California revealed that accidental data breaches account for 47% of all data breaches reported to the state government. Although the accidental breaches accounted for only 7% of the compromised records, it’s still a significant number. It’s safe to assume that most or all could have been prevented by having comprehensive data security procedures in place and followed, and by implementing technical safeguards, such as encryption.
Often, sensitive data is released because employees fail to recognize that the information is sensitive and needs to be protected. Paper documents with Social Security numbers or credit card data are put in the trash or recycling bin instead of being shredded, or healthcare records are “temporarily” placed on USB flash drives or laptops then misplaced. Everyone in the organization must be able to identify sensitive data, and the criteria for classifying data must be spelled out. A simple rule to follow is that all data should be sensitive until proven otherwise.
In other cases, policies regarding how to protect sensitive data are nonexistent, poorly understood or poorly enforced. Procedures that don’t exist, are excessively complicated or haphazardly enforced will not be followed. These policies should be clear and easy to follow, and everyone should be trained on them—not just once, but on an ongoing basis.
Humans forget; they take shortcuts and they lose things. Technical safeguards can help where humans fail. Most computer operating systems can be configured to not only require user account passwords, but to require that the passwords meet certain complexity criteria and that users change their passwords periodically. Similarly, computers can automatically lock themselves when unattended.
Going further, many devices, such as laptops, tablets, smartphones, and flash memory, can be configured so data files are encrypted. The California report found that 26 percent of data breaches were due to lost or stolen physical devices, yet the data could not have been accessed had passwords been required.
Even more sophisticated (and expensive) technical solutions are available, such as monitoring software that automatically identifies sensitive files and prevents them from being copied onto flash drives, emails or web pages.
No data security plan should rely solely on policies and procedures or on technical solutions. The best plans incorporate both.
Written by Dean Van Dyke, Vice President, Business Process Optimization
Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.