23 Aug
2005

















this blog

about

site use

contact




archive

2005

earlier





related
sites

Caslon

Ketupa

     threats and workarounds

In recent posts we have highlighted questions about corporate responsibility for large-scale data loss, such as failing to encrypt computer tapes with customer records or personnel files ... and then losing the tapes while shipping them to an agent or a repository. Recurrent misadventures and responses by US data custodians that appear indifferent to consumer concerns are resulting in calls for stronger legislation and - perhaps more effectively - talk about class action.

It is important to treat information security on a holistic and whole-of-lifecycle basis, as it not the sole responsibility of an IT or corporate compliance unit and an effective regime involves many players. The latest Insider Threat Index (PDF) from US security specialist Reconnex offers a view of data handling by US corporates.

That report indicates that 91% of companies - alas unidentified, so we cannot tell whether their practice is average or apalling - completing a Reconnex 48-Hour e-Risk Assessment in July had credit card numbers entering or leaving their network. 82% exposed social security numbers; many featured unencrypted personal data such as an individual's name and social security number in the subject line of email.

Most disclosures were by human resource units that "often accidentally exposed employees’ personal information" in communicating with health insurance, payroll, workers compensation and other third-party processors. That data "often included" employee names, birth dates, social security numbers and "even sometimes bank routing information". According to Reconnex it was usually sent via Excel spreadsheets (covering up to several thousand individuals) and in clear text. The report unfortunately does not offer detailed figures - we would have liked more information on 'many', 'most', 'often' and 'sometimes' - or discussion of where things have gone wrong. It also does not discuss instances where data hitched a ride out of a secure network in an employee's pocket or handbag rather than being emailed through the corporate firewall.

80% of the companies in the Reconnex assessment had "detected rogue P2P file-sharing protocols, such as Bit Torrent, Gnutella, eDonkey, and WinMX" on their networks. For us that's an indication of poor network management (particularly if the companies have network management staff and monitoring software, one reason why it would useful to have more info about those companies), perhaps the absence of corporate guidelines - as basic as alerting all staff and contractors that P2P is prohibited on a corporate network - and irresponsibility by staff.

Reconnex cites a survey by the American Management Association indicating that 60% of US "employers" monitored email - consistent with works such as H Jeff Smith's classic Managing Privacy: Information Technology & Corporate America (Chapel Hill: Uni of North Carolina Press 1995) - but only 10% monitored instant messaging and other web-based communication methods.

Supposedly "80% of information communicated over the corporate networks" as part of the Reconnex assessment was web-based, with "only 13% of the information entering and leaving the corporate network" being disseminated via "an approved corporate email system".

That is because

Everything else employees did on the corporate network was conducted using a non-email based communication channel including web surfing, sending web mails, instant messages, downloading content from websites, posting content to web bulletin boards and web servers or communicated using FTP or a peer-to-peer protocol.