A data breach can occur many ways. Even a data “warehouser,” who has implemented a policy to minimize data collection and retention while making necessary data accessible in a secure environment, may still be subject to a data breach. A data breach may still occur by accident or through malice even when a well written policy and procedure is adhered to seriously by computer users. Data is only as safe as the trustworthiness and reliability of the organization’s users.

Computers and flash drives are lost and stolen every day. Understanding where data is stored on networks and work stations, if and when it is protected by encryption and the rules for its transmission, not only will help the administrator or responsible party enforce data security policy and procedure, but will also help identify whether or not PII may have been stored on a device which was lost or stolen. An organization which has implemented thorough data transmission monitoring, logging and blocking, but has not educated the users about basic computer safety best practices, is not effectively protected. Even when users adopt and take safety procedures seriously, a determined insider rogue user can bypass the policy and procedure, rendering all the best proactive efforts futile.

In March, we posted “Motivate Your Employees to Become Data Privacy Advocates.”  This post discussed engaging the data users of your organization to be active participants in the data security process and to make data loss prevention an active part of the corporate culture. 

Faceless organizations merely store information. However, a “custodian” of data, like a neighborhood librarian, stores it and protects it. An example of this approach is to empower the data owner or user with the responsibility to assign any particular document, spreadsheet, or database a security level and determine its access level. The employees’ supervisors can provide the oversight of this process without jeopardizing the culture of responsibility.

Consumers who provide an organization access to their PII should expect nothing less from the user than a sincere effort to protect the keys to their identity.

• How do your organization’s efforts measure up?
• Have you deployed network safety systems, but haven’t included education for employees?
• How have you addressed the different paths followed by inside versus outside threats? 

Scenarios measuring the threat posed by accidental and intentional loss must also be evaluated.

By Ross Peiser
Senior Investigator, Kroll Fraud Solutions

Tags: best practices, computers, data loss, data security, data security tips, employee education, PII, threats

Categories: Data Breach, Data Security Issues, Data Security Planning, Data Security Resources.