Real-World Horror Stories Show Why Data Security Is So Hard

Comments

Corner-office executives, IT pros and other so-called knowledge workers are supposed to be pretty smart, right? Dare we say trustworthy. Unfortunately, they are the leakiest of vessels when it comes to protecting sensitive company information.

Some employees maliciously spirit away data before leaving a company, while others absent-mindedly put data at risk by storing files on mobile devices that become lost or stolen or falling for phishing scams.

CIOs are to blame, too. More than a few companies still don't have a Bring Your Own Device (BYOD) user policy, enforce a governance policy, or require data encryption on mobile devices.

The end result of all this negligence: horror stories.

Take, for example, the nun nurses at financially strapped Daughters of Charity Health System in Silicon Valley. They're some of the worst offenders, falling prey to the online scam of helping a Nigerian prince in return for a big payday. No, they're not looking to become rich.

"The nuns want to use the money to help more of the sick and poor," Michael Day, vice president of information technology and strategy at Daughters of Charity, told me at a recent tech event in San Francisco.

On a more nefarious note, a survey of IT pros attending the 2014 RSA Conference found that nearly one out of five still had access to the IT systems of their most recent previous employer. Some had access to the systems of their previous two employers.

A stolen laptop can seriously expose a company. A couple of years ago, a contractor for Howard University Hospital lost a laptop with medical records of more than 34,000 patients. Last fall, a stolen unencrypted laptop from Santa Clara Valley Medical Center exposed medical records of 250,000 patients.

Average cost of recovering from a data breach is $7.2 million," says Jaspreet Singh, founder and CEO of Druva, an endpoint data protection company. "Requiring that data on devices is encrypted is an inexpensive way to reduce the risk of data breach."

Attorneys are some of the biggest users of rogue Dropbox accounts, storing sensitive documents there, a CIO told CIO.com. At another law firm, Dowling Aaron, CIO Darin Adcock had to institute strict BYOD measures to keep his company safe, earning him the nickname "Big Brother."

"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," Adcock told CIO.com last year.

Data loss can do more than just harm a company. In the summer of 2011, an Oklahoma University researcher's laptop was stolen from her car, containing years of research on prostate cancer. The professor had not backed up the laptop's data. Gartner estimates 28 percent of corporate data is stored only on endpoint devices.

"There's a misconception that endpoint devices don't contain critical data, yet increasingly this is where data lives," Singh says.

In today's Wild West mobile, BYOD and cloud frontier, real-world stories of data loss continue to make headlines -- not to mention the plethora of security slip-ups that fall under the radar and out of public view. Making matters worse, there seems to be growing worker apathy toward BYOD and mobile security.

All of this means everyone from CEOs to knowledge workers must turn apathy into diligence, and CIOs need to install technology and enact policies that keep their companies safe.

"By not having or enforcing a governance policy that controls access to data and systems, especially after an employee leaves, organizations open themselves up to the possibility of a major breach," Singh says.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com

Read more about byod in CIO's BYOD Drilldown.