|
But I didn't know…
Commonly used technology opens door for info leaks, identity theft
By John Chivvis
Would you choose a doctor if you knew that he had released more than 800 medical records—containing diagnoses, medical conditions, names, and birth dates—to the public? Well, in early September, a doctor did just that by losing a flash drive, and now the University of Rochester Medical Center (URMC) is dealing with a public relations nightmare.
Imagine a similar incident in your agency. Your customers and prospects not only expect you to protect them and their property, they also expect you to protect their personal information.
The problem is that many agency employees may be compromising agency data and may not even know it. It's not just about flash drives, but about being aware of technology and developing the appropriate practices to keep your clients' information safe and secure.
To help illustrate some of the factors that lead to lapses in information security practices, three common pieces of office technology—flash drives, office printer/copiers and wireless access points—offer good examples of "I didn't know."
Danger of convenience
Flash drives—also known as USB drives or thumb drives—illustrate the dangers of convenience. The advantages of using a flash drive are also its disadvantages from an information security standpoint. These drives are easy to use (Gartner estimated that more than 114 million would be sold in 2010), and they are relatively inexpensive (4GB drives run as low as $10 in office supply stores and sometimes are given away for free as incentives).
But the most obvious advantage is the convenience. According to Brad Ruben, president of California-based Archway Computer Consulting, "Before USB drives, you had to burn a CD or DVD which meant using bulky media that wasn't as portable and it took time to actually burn the disc.
"The drag-and-drop capability of flash drives and USB ports makes it so much easier to transport data," continues Ruben. "Producers can quickly download files with contact information and take it with them." For many employees, the use of flash drives has made it easier to telecommute from home or on the road.
So what's the problem? According to a survey conducted by flash-memory maker SanDisk, 77% of respondents use personal flash drives for work-related purposes. This "criss-cross into the personal space," as Ruben calls it, can leave sensitive information on personal drives. These drives end up in pockets, on key chains, in bags, or even are left in USB ports.
And, as the physician from URMC learned, these drives also can be lost.
However, there are security measures that can be taken to make the drives and the information on them more secure. These include:
• Software protection. Many software applications (such as Word, Excel, Acrobat, etc.) offer password protection of documents. This is one step above no protection at all.
• Software encryption. Better than software protection and makes unauthorized access much harder.
• Hardware encryption. If USB drive portability is paramount, then investing in hardware-encrypted flash drives is a great investment.
There's also a fourth option that Ruben recommends, and that is to prohibit the use of flash drives at work. "Everything an employee needs should be accessible from the network," says Ruben. "USB drives should be for personal use only."
Omnipresent hard drives
With a USB drive, it's easy to see how information could fall into the wrong hands, but others aren't as easy. The good, old, trusty office scanner is a great example.
These devices are important to daily office workflow because they are tied into every aspect of office work. They are used to make offices "paperless"—they image, they scan, they fax—and they are used by offices to make paper printouts, and copies. For these network multi-purpose devices, no matter how they're used—fax, image, print or copy—the file ends up on the hard drive.
But, in a survey conducted by Sharp Imaging & Information Company, 60% percent of respondents said, "I didn't know" that copiers have an internal hard drive. In fact, for almost 10 years, almost all digital copiers—as most office copiers/network printers are—have come with hard drives.
Earlier this year, the U.S. Navy had to "recover" a number of printer/copiers when it realized that the devices had hard drives. On average, these drives held 6,000 pages of scanned information which makes one wonder how much agency/customer information could be harvested in 6,000 pages.
As the Navy realized, the issue is what to do when these devices reach the end of their lease or life. If the drives aren't removed or wiped, it becomes a fairly easy task to remove the copier's hard drive, scan it and then print out what's on the hard drive—an identity theft treasure trove.
As part of a CBS News story that aired this past April, a number of used copiers were purchased for about $300 each. Each one that was purchased had sensitive materials on its hard drive. From one hard drive, CBS printed out more than 300 pages of individual medical records from a New York insurance company.
Ruben says that the way to solve this problem is by applying a simple mixture of workflow and end-of-life/lease procedures. Most new multi-function devices, printers and copiers now offer security options and on-device preferences that can be configured to let the agency decide how long data stays on the hard drive, what documents get encrypted, and who has what level of access.
"It's also important to make sure that the devices and the hard drives are properly disposed of," adds Ruben. "When you get rid of a printer, you want to get it into the contract that the hard drive needs to be either removed, wiped or destroyed."
Free can be costly
When asked about wireless networks, Ruben says that most businesses and home users understand how to set up and secure their network. "These days it's a pretty easy process to set up an SSID [wireless network name] and password to secure a wireless network," says Ruben. "It's not as much of a deal any more."
However, this gives rise to another factor for information security failure—making assumptions. The issue is that most people assume that other wireless access is as secure as theirs. Unfortunately, most public locations are not, and most people don't think twice about using public "wi-fi"—especially when it's free.
So at the airport or coffee shop, an identity thief can connect and log all of the traffic, keystrokes and interaction that goes through the wi-fi connection. Since everyone shares the same connection, it makes it easy to glean personally identifiable information. In other cases—especially where there is not free access—these thieves will set up a second "free" access point with a similar name for the express purpose of "sniffing" data.
The solution? Don't assume anything. From a wireless standpoint, following the international Wi-Fi Alliance's basic security practices for public wireless hotspots is a good start:
• Connect to a legitimate hotspot. Password protected access points are better protected.
• Use a virtual private network (VPN) connection. This gives you a private connection across the open network.
• Be careful. Checking e-mail, sports scores or news is fine, but don't use an open network to pay bills or check a credit card balance.
Enforcement
While following these best practices is important, Ruben says that good information security starts with agencies developing an information security policy. "It's important to have a policy in place that is clear, and enforced," he says.
Policies and procedures should be developed specifically for the needs of each individual agency. Ruben says that basics like password strength and life-cycle need to be included, in addition to how technology is to be used in the agency. Will USB drives and CD burners be allowed? What is the policy for connecting wirelessly? These policies—when enforced—mean better operating practices and stronger information security.
In an industry that places such importance on a customer feeling secure and safe, how much can information security impact an agency? Ruben cautions, "I've seen agencies go out of business, not because someone stole their information, but because they lost it."
The author
John Chivvis is a Texas-based writer who specializes in topics of technology implementation. His work has appeared in a number of national and regional publications.
|