Safeguard Your Biggest Asset -- Your Data

By Michelle V. Rafter

A company’s data is its life blood, so why risk having it lost, stolen, or hacked into with shoddy security and privacy practices? Regular audits can help companies pinpoint weaknesses and establish good privacy protocols.

Do you know where your data is?

If your company maintains databases, runs e-mail marketing campaigns, sells something online, or gives salespeople laptops, the answer could be “everywhere.”

The more places a company’s data resides, the greater the possibility it could fall into the wrong hands, accidentally or by theft or hacker assault. With so much at stake, it behooves businesses to establish controls to ensure data is private, secure and stays that way. One method for doing that is a privacy audit, in which a company reviews its information handling practices to track where data is stored and moved, if it’s vulnerable to leaks or theft, and whether employees adhere to stated privacy and security practices or industry regulations.

Data breaches and lost laptops

Small business owners who don’t think they need to check privacy practices are fooling themselves, advises Mike Spinney, spokesman for The Ponemon Institute, a privacy think tank in Traverse City, Mich. Consider:

• Since January 2005, 216 million data records of U.S. residents have been exposed due to security breaches, according to the Privacy Rights Clearinghouse (PRC), a non-profit consumer privacy advocate in San Diego, Calif. According to the PRC’s online listing of data breaches, many of those occurred at small businesses.
• The most common causes of security breaches are lost or stolen laptops or other portable devices like USB drives, according to a November 2007 benchmark study of data breaches at 35 U.S. companies by The Ponemon Institute.
• A separate survey published by The Ponemon Institute in November 2007, found that of 893 U.S. IT professionals, 51 percent copied confidential company information to a USB memory stick even though the majority of them (87 percent) believed their company’s policy forbade it.

That even IT professionals should exhibit such cavalier attitudes toward data privacy “is kind of shocking,” says Spinney, the Ponemon Institute spokesman.

Setting up a privacy audit

Routine privacy audits could uncover and prevent such behaviors, privacy industry experts say. To perform an audit:

• Decide what data to analyze: all employee and customer records, or a subset of sensitive information, like Social Security numbers.
• Use spreadsheets, employee interviews, technical monitoring, and blind shopping or testing to create a chart showing where data is collected, processed, transferred, or deleted and what applications or vendors are used for each step.
• Use the data flow chart to measure the company’s day-to-day information handling practices against its stated policies and any industry rules or regulations.
• If the two don’t match, take the appropriate steps to change them.

At most small businesses, an IT manager, CFO, or CEO could spearhead an audit. Small businesses could also hire a privacy consultant, or use their outside legal counsel or accounting firm, if those firms provide such services, says Jeff Nicol, of PrivacyReady.com, a privacy industry consultancy in Hood River, Ore. Audits aren’t cheap. A small business can expect to pay around $20,000, Nicol says. That’s pretty pricey, so companies could consider scheduling a full audit once every three years or do partial audits each year, Nicol says.

Between audits, companies can use security assessment software to keep systems running smoothly, Nicol says. Software like Watchfire from IBM, Web Vulnerability Scanner, from Acunetix,

Hailstorm from Cenzic, or WebInspect from SPI Dynamics can check that a company’s use of Web applications complies with stated privacy directives. Online sellers can test their privacy practices by going through the assessment process necessary to get an online privacy seal from TRUSTe, the non-profit privacy trust organization.

SIDEBAR: Securing laptops and educating employees

About those laptops: security experts recommend putting passwords on everything, and using encryption software such as Credant Mobile Guardian Shield or KeyPoint Alchemy from RedCannon Security.

Another suggestion: enroll employees in online courses like the Privacy Directions series from MediaPro. “Technology (is) a big part of having decent security, but the weakest link is workers,” Nicol says. “Proper policies, training, and monitoring all are critical to see that folks know and follow good information security practices.”