Protecting Private Information
by Phillip Britt
Al Decker, executive director of security and privacy services for Electronic
Data Services (EDS), the Plano, Texas-based business and technology services
company, is one of three people in charge of security at his company. While
he oversees design of security solutions for EDS customers, another executive
checks the security of these designs, and another oversees company security.
This separation of duties is one of the many policies and procedures that
Decker and other security experts rely on to protect customer information.
While security breaches in technology get the majority of the headlines, secure
technology is only one part of the formula to protect customer information
from getting into the wrong hands, according to Decker and other security experts.
“A lot of times companies start their [security plans] with the technology,
but then they rely just on the technology,” Decker said. “Security
plans need to include people, processes, and technology. People in the organization
need to have the cultural mindset toward security.”
Indeed, technology wasn’t the culprit in the recent, well-publicized
information database compromises at ChoicePoint, Bank of America, and a handful
Poor Policies Lead to Fraud
ChoicePoint reported that the personal information of 145,000 Americans may
have been compromised in its breach, in which con men posing as businessmen
looking to do background checks on their customers were given access to its
credit information database. The company reported that about 750 of those people
whose information was released were defrauded.
CEO Derek Smith and company president Douglas Curling earned $16.6 million
from sales in ChoicePoint stock after the company learned of the breach and
before it was made public. Soon after the ChoicePoint leak became public, Bank
of America divulged that backup tapes containing the financial information
of government employees were lost while being shipped to a data warehouse.
The Federal Trade Commission estimates that 10 million people were victims
of identity theft in 2002, the most recent year for which it has data. According
to Gartner, Inc., 9.4 million online U.S. adults were victimized between April
2003 and April 2004. The losses amounted to $11.7 billion.
Proper Database Protection
In spite of these breaches, there are a number of companies providing strong
protection for their customer information systems.
Many firms are reticent to discuss their security policies and procedures
because they don’t want to give potential hackers any advice. Others
decline to discuss security issues, because they don’t want their companies
to become targets. (Saying a company has strong security presents the type
of challenge some hackers love.)
Yet Decker discussed some of EDS’s security procedures as well as what
the company recommends to its clients, many of whom are financial institutions
or healthcare facilities with sensitive customer information. Most that
are doing good jobs protecting customer information are following many of the
same “best practice” precautions that security experts recommend
for all companies.
In addition to the separation of security duties, the culture of the company
may be one of the most important aspects in protecting sensitive information,
according to Decker.
“Employees have to understand a company’s security policies and
procedures, and they have to follow them,” Decker said. The security
policies need to be enforced, even on seemingly trivial items, to ensure that
bigger breaches are prevented. So someone who uses a badge to access a room,
for example, shouldn’t hold the door open for someone behind him unless
the second person has a proper badge as well. If someone needs a password to
access certain parts of a company’s network (i.e., a customer information
database), he shouldn’t be able to “sweet talk” an administrative
assistant or other employee into giving him access to the information without
“The human element is the failing [point] most of the time,” Decker
Marc Strohlein, vice president of research firm Outsell, Inc., added that
policies and procedures do little good if they’re not followed, and they
won’t be followed if they aren’t enforced.
If security is going to be strictly enforced, then the company’s human
resources department needs to have strong policies about handling security
violations, said John Rostern, director of technology risk management for Jefferson
Wells, a professional services firm.
Processes represent the next major layer of data information security, according
to Decker. This means looking at how information flows from one point to another
within and outside of the organization to determine any points of security
weaknesses. This becomes more complex as companies add more wireless devices
and extend their networks further outside the physical walls of the enterprise.
This also means determining where technology can do the job by itself and where
human intervention is needed. The company’s chief security officer is
the head of EDS’s human intervention division.
Rostern added that companies need to have strict rules against allowing portable
media, such as thumb drives and digital cameras, in any areas of the company
where sensitive data can be accessed.
According to Decker, chief security officers typically start their days by
checking the prior day’s monitoring information for the number of violations
(outright attacks, mistyped passwords, etc.) that occurred while people attempted
to sign into the network. The number of innocent violations, such as mistyped
passwords, will stay within a certain range. So they’ll look for anything
beyond the normal range, which may indicate increased security breach attempts.
By mid-morning, their attention will typically turn to national alerts, such
as those from the CERT Coordination Center, located at the Software Engineering
Institute, a federally funded research and development center that is operated
by Carnegie Mellon University.
Though human intervention and processes are necessary, the complexity
of some network attacks require technology, not only to prevent the attacks,
but also to track attempts. Such tracking helps company security officers and
federal officials catch hackers, who typically attack several computer networks
at once, not just a single company.
Intrusion prevention/detection technology should exist at various points
along the network, according to Danny Johnston, president and CEO of Gladiator
Technologies in Alphretta, Ga.
The first step is a firewall that only grants access to transmissions carrying
the proper coding in order to protect against known hacker methodologies or
known threats, many of which are attempts to get at database information.
The next step is to perform a deep packet inspection to look for Trojan horses,
viruses, worms, or other anomalies in the transmission’s bits and
bytes. This can be carried out via a separate device behind the firewall, or
it can be a feature of the firewall itself.
Behind the firewall and deep packet inspection should be security protocols
on switches and routers, according to Johnston. These measures help protect
against someone knowingly or unknowingly sending a data-compromising virus,
worm, or Trojan horse from one computer within the network to another host
computer or to the entire network. Johnston said that 70 percent of security
breaches are from internal, rather than external, sources.
As company information continues to grow, it becomes more critical that it
is not only monitored, but that there is also a way to store all of the network
security information, including alerts, reports, activity logs, etc., added
Jim Melvin, executive vice president of marketing and business development
at Network Intelligence Corp.
The next step is to test the security system that an enterprise has in place.
Several enterprises hire EDS, Gladiator, or another competing company to attempt
to breach security. Some of the companies providing this “intrusion-attempt” service
will also provide firewalls, security monitoring, or other products and services
to protect databases. Decker and other security professionals recommend that
enterprises buy intrusion-attempt and monitoring services from separate companies.
Johnston also recommends that enterprises use services that attempt to breach
internal as well as external security.
Strohlein recommends that enterprises use periodic “fire drills” to
prepare for what they would do in the event of heightened attack attempts or
actual security breaches. Such drills prior to Y2K helped some companies during
the 9/11 terrorist attacks.
Regardless of what policies, procedures, and technologies a company has in
place to protect its databases, security professionals agreed that securing
this information is a constantly evolving task. Every time a company institutes
a new policy, procedure, or technology, those trying to get at the data will
try to find a way around it.
Consumer Protection Laws Get Stronger
The recent breaches of consumers’ “private” information
have fueled consumer advocates’ calls for federal oversight of the loosely
regulated data-brokering business.
In 2002, California’s state government was the first to adopt rules
requiring that companies notify individuals if their personal data had been
compromised. Now, others are following suit. The Georgia House of Representatives
passed similar legislation in late March that would require companies to alert
people whose personal information has been leaked or stolen.
Capitol Hill hearings are also expected on the issue, although none had been
slated at the time of this writing.
Though not developed as a result of the recent data breaches, Sarbanes-
Oxley and the Health Insurance Portability and Accountability Act (HIPAA)
are other laws that help ensure that companies secure customer information.
Sarbanes-Oxley requires that publicly traded companies track the dissemination
of company information. HIPAA requires that holders of a person’s
healthcare information follow very strict rules when sharing that data.
Beyond making technical improvements and instituting new policies and procedures,
companies can also turn to the law to further protect their data, according
to Joel Greenwald, a labor and employment lawyer at Joel Greenwald & Associates
PC. He recommends that firms require employees, vendors, and business partners
to sign confidentiality, non-compete, and similar legal agreements.
“Companies are beginning to audit customer, pricing, and marketing
information,” said Greenwald. “If someone can’t steal one
of your clients, then there is a lot less risk.”
Greenwald also recommends that companies classify this type of information
as trade secrets, which means they don’t have to divulge some details
to business partners and others with whom they share other company information.
EDS’s Eight Steps for Businesses Impacted by Identity Theft
1. Capture the information.
2. Establish the cause of the incident.
3. Evaluate the impact of the incident.
4. Protect customers’ identities.
5. Protect your company.
6. Update procedures, systems, and tools.
7. Initiate education.
8. Prepare for the next incident.
Phillip Britt, president and CEO of S&P Enterprises, Inc., is a business
writer who covers key topics in the information technology field. His e-mail