Keeping Information Safe

With information security breaches estimated to cost American companies billions of dollars a year, it’s hard to argue against the necessity of keeping close tabs on private data.

The need for information security might be easily overlooked, until a breach occurs, and what’s important in the wake of a breach is how it is handled – and what is done to keep it from happening again.

At Missouri State University, officials are nearing the one-year anniversary of an event they’d rather not celebrate – the discovery of a breach within the College of Education. Last February, school officials learned that nine lists comprising 6,030 students’ Social Security numbers ended up on Google instead of being posted to secure servers.

The names and numbers were compiled in preparation for an accreditation of the school in fall 2010, affecting students who were enrolled in at least one of nine semesters between 2005 and 2009.

“We were notified through one of our offices that there was an exposure of a person who used to go here, and their Social Security number was on the Web,” said Jeff Morrissey, MSU’s chief information officer. “Within minutes, we took the server offline and applied security configurations to the server area that was left open.”

Breaches such as the one at MSU are not uncommon. For example, in January, online shoe seller Zappos.com announced that a hacker might have accessed the personal information of up to 24 million of its customers.

MSU staff spent nearly two weeks after the breach notifying each of the affected students. Officials also issued a news release and informed the attorney general’s office that a breach occurred. At that point, Morrissey’s staff began working to educate students and staff on best practices, he said.

A layered approach to information security is key to protecting against security breaches, said Brian Plunkett, general manager at PC Net. While simple firewalls are good protection for most home computers, he said businesses usually need something more robust.

“Typically, what we’re doing is specialized intrusion prevention,” Plunkett said, noting that devices could be encoded within a system to detect certain types of traffic, recognizing patterns as good or bad.

Financial fallout
Data and security breaches were projected to cost U.S. businesses more than $130 billion between June 2010 and June 2011, up from $101 billion in the previous 12-month period, according to the Ponemon Institute, a research group that studies Internet security.

As one example of those costs, MSU paid $42,210 for 12 months of identity theft protection for the affected students.

Morrissey said there have been no reports of the Social Security numbers being used inappropriately in the 11 months since the breach, helping to mitigate school officials’ fears.

“Most people who would have gained the information and had bad intentions would have used it fairly quickly,” said Morrissey, who leads a 75-member department charged with making sure those who need access to personal information have it, and those who should not see secure data are kept at bay.

In December, a computer containing unencrypted patient data, including about 900 Social Security numbers, was stolen from Concentra Medical Center on North Glenstone Avenue.

At the time, company officials said Concentra would provide affected patients with free access to a credit-monitoring service that could protect against potential misuse of the stolen information, and it was ramping up its security to prevent future breaches.

Not surprisingly, companies are spending more on keeping information secure.

The Ponemon Institute estimates that U.S. companies spent $75.6 billion on IT security between June 2010 and June 2011, up 20 percent from the previous year.

Plunkett said the costs for system protection and monitoring rates vary widely depending on the size of the company and the level of protection required.

Safety measures
One option for keeping data safe is to utilize an off-sight storage system such as the data center available through PC Net’s sister company, 85Under, Plunkett said. Cloud computing – or delivering hosted services via the Internet – also could have prevented a breach such as the one Concentra experienced, because the data would not have been stored on the computer.

Other layers of protection involve monitoring employee activities and providing clients with antivirus software on individual computers.

“In addition, we like to install a Web-content filter, where we can determine not only what has just happened, but keep them from going to sites that they shouldn’t be on,” Plunkett said.

In the months since the breach at MSU, Morrissey said the school has taken several steps and implemented new procedures.

The university has invested in ongoing training for individuals in administrative departments, primarily those who deal daily with large amounts of confidential data. An inventory of file servers was conducted, and regular risk assessments are performed to identify vulnerabilities.  Morrissey said IT support personnel routinely scan desktop computers in their areas to locate confidential data and ensure it is stored appropriately, and proactive scanning is performed daily to locate and protect any sensitive information at risk of being exposed through search engine indexing.

Jim Taylor, MSU information security officer, is working with Morrissey to protect the digital assets of the university, and they agree with Plunkett that a layered approach to information security is best.

Taylor said if staff and students are in the habit of making good choices, the system as a whole becomes more secure. Teaching little steps such as locking keyboards when stepping away from a computer in use are important to an overall system security, he said.

“Whenever you start dealing with someone’s personal information and computer systems in general, you provide access to only those people who need it, and only to the extent that they need it,” Taylor said.

“Security has to be part of the planning process. It has to be part of the use process, and it has to be part of the shutdown process.”

Ultimately, Plunkett said what’s most important is preventing a breach from happening in the first place.

“It’s always more complicated after the fact,” he said.[[In-content Ad]]