In-Depth
Tracking Trends: Data Security Risks
The top three risk trends in 2010, and what lies ahead for security professionals in 2011.
By Paula Skokowski, Chief marketing officer, Accellion, Inc.
High-profile data breaches in 2010 clearly demonstrate that organizations of every size continue to struggle with how to secure their data. Companies can avoid making next year’s data breach list, and ensure the confidentiality of data, by understanding the actions that put them at risk. Looking back over the past year, three trends stand out.
1. The growing use of mobile storage devices
Simple to use and relatively inexpensive, mobile storage devices including USB thumb drives, CDs, and DVDs have become common vehicles for transferring large amounts of data. Throughout the year, a steady stream of news stories have raised awareness of the security risks associated with these devices and how easy it is for them to be misplaced, lost in transit or stolen.
For example, just weeks ago one of the largest security breaches of personal health data in the nation occurred after a computer flash drive containing personal health information about 280,000 people went missing. The flash drive, which was hauled around to community health fairs, went missing from a Medicaid managed plan provider’s corporate office. This breach follows another high-profile medical-data breach at Our Lady of Peace psychiatric hospital; a flash drive containing personal information about 24,600 patients was reported lost.
Earlier this year, following a year-long ban on USB thumb drives, the Department of Defense released new guidelines allowing limited use of the devices. The devices are only to be used under mission-critical, carefully controlled circumstances, and only after strict compliance requirements are met. According to Defense News, military personnel use USB thumb drives for carrying tech manuals, medical records of wounded troops, mission plans, and other types of important information stored in files too large to e-mail.
2. The convergence of consumer and enterprise technologies
A growing number of consumer technologies are making their way into corporate environments. Easy to use and easy to obtain, many consumer-focused technologies lack the necessary security and compliance features businesses require.
Consider peer-to-peer (P2P) technology; typically installed to exchange music files with friends, P2P can quickly become a security nightmare for businesses. For example, medical records and Social Security numbers of patients at Walter Reed Army Medical Center were exposed in a P2P data breach. Highly sensitive blueprints of the United State president’s helicopter, Marine One, were leaked via a P2P network. The Canadian government also reported a popular P2P file-sharing program, LimeWire (which has since been shut down) exposed the private details of more than 150 people over the Internet.
In response to a growing number of P2P-related data breaches, FTC chairman Jon Leibowitz issued a warning to companies and institutions of all sizes about the dangers associated with P2P use. In October, LimeWire was ordered to disable the functionality of its P2P file-sharing software.
In March, Google announced that file transfer capabilities were coming to Gmail chat; soon after, Skype announced that it will follow suit. Just this November Facebook also announced it will add e-mail (and file transfer) capabilities to its service. One can’t help but think of the potential security risks associated with sending confidential information over these unsecure methods.
3. The HITECH Act’s impact on business processes
In 2010, the HITECH Act forced many organizations to address the issue of compliance, requiring new systems and business processes to be put in place to ensure control and protection of confidential health care information. This includes deploying a system that will demonstrate compliance when sharing information.
Although advances are being made that allow encryption of USB thumb drives, more work needs to be done before this method is ready for mass use. The inability to monitor what information is copied onto devices, and track where the devices go after leaving an enterprise, makes achieving compliance impossible. Similarly, it is impossible to monitor information being shared through consumer technologies such as P2P, Skype, and Gmail.
Predictions for the Year Ahead
As we look forward to 2011, we expect to see less tolerance for avoidable mishaps. Although 2010 was a period of heightened awareness of the dangers associated with sharing information through insecure methods, in 2011 there will be no excuses. Three trends to watch out and prepare for in 2011 include:
1. Greater emphasis on secure collaboration.
We will see greater focus and awareness of the need for secure collaboration. With the adoption of the cloud and mobile access to the Internet, people will want to -- and expect to be able to -- share information across multiple devices and people. There will be an increasing expectation that services and applications accessible in the office, will also be accessible away from the office. Online collaboration will be much more prevalent, placing new demands and requirements for secure data sharing.
2. Greater overlap between consumer and enterprise technology.
We will see greater overlap between consumer and enterprise technologies. Given the level of sophistication, robustness, and security required for an enterprise solution, it will be essential that corporate IT departments take a tougher stance on the use of consumer tech in the workplace.
With an alphabet soup of regulations, companies need to be careful about the technologies they use to securely transfer confidential information such as financial data, health records, and legal documents. For example, consumer-centric solutions, such as those offered by YouSendIt, allow individual employees to send files without any corporate or IT control, and that can leave companies vulnerable to security violations.
Going forward, policies that prohibit or place tight restrictions on the use of consumer technologies in the workplace will be essential to ensuring data security.
3. Compliance isn’t going away.
Although the HITECH Act was the key driver for compliance in 2010, HIPAA will continue as a major compliance driver in 2011. There will be a significant increase in digital data within the health care industry as a result of EHRs, making it easier for doctors, insurers, suppliers, and others to send files and other information electronically. Tracking and monitoring the information that is shared will be essential for demonstrating compliance.
Preparing for the New Year
Given the increase in data breaches and updated and extended compliance regulations, now is not the time to ignore data security vulnerabilities. In preparation for the New Year, consider the following checklist for how to protect your data from security and compliance risks.
- Do not allow use of mobile devices (USB thumb drives, CDs, DVDs, etc.) for transferring confidential data
- Do not allow P2P file sharing in corporate environments
- Put policies in place that strictly regulate the use of consumer tech in the workplace
- Deploy an enterprise-level managed file transfer solution
- Link your file transfer technology to your content filtering and corporate archival policies
- Provision for secure collaboration
Paula Skokowski is the chief marketing officer for Accellion, Inc., a secure, managed file-transfer solution provider. Ms. Skokowski received a BA and MA Honors in Engineering Science from Oxford University and an MS in Robotics from UC Berkeley. She has served as advisor on Teradata’s Ecommerce Board of Advisors, director for the ComputerWorld Smithsonian Awards Program, and executive director to the LonMark Interoperability Association. You can contact the author at
[email protected]