On April 11, the Investment Industry Regulatory Organization of Canada (IIROC) announced the loss of a mobile device – reportedly a laptop – containing the personal financial information of about 52,000 brokerage firm clients.
"It just blew me away," Ontario Information and Privacy Commissioner Ann Cavoukian says in an online post. "I just couldn't believe that an investment regulatory body would be so irresponsible."
IIROC is facing multiple investigations, both internal and by third parties, and intense media scrutiny.
The breach is a reminder that, as organizations gather more and more data in the digital age, information is getting harder to track and manage. More employees are also storing company information on personal devices, such as smartphones, many of which are highly susceptible to loss or theft, and lacking in security basics such as passwords.
The threat is further magnified by modern data thieves, who are far more organized, sophisticated and resourceful than they were in the past. The dark side of the Internet has spawned a global black market where these individuals can seek criminal advice, purchase hacking tools and buy and sell information at the click of a mouse. "They are well aware that they can trade information like any other commodity," says Fazila Nurani, a legal expert with privacy consulting firm PrivaTech Consulting.
Data thieves generally use a series of low-cost, low-risk tactics for stealing information, some of which are remarkably simple. Social engineering, for example, involves duping unwary employees into giving up sensitive information, such as log-in credentials or client data. Criminals may pose as a member of an organization's information technology department, for instance, and ask employees via phone or e-mail to give up their password for security purposes. According to a recent study by communications giant Verizon, 29 per cent of data breaches leveraged social tactics, making it one of the most common ploys of data thieves.
It's also one of the most preventable. "Human error is the biggest risk, and that's where we see the most data security breaches," Ms. Nurani says. "A password's been given out, or a security patch hasn't been installed." Weak passwords based on birth dates, or simple number combinations like 1234 are also common.
The role of human error, which can come from anywhere in the company, means that management can no longer afford to delegate data security to IT. According to a joint survey by accountants association CPA Canada and the American Institute of Certified Public Accountants, managing and retaining data is the top technology-related priority of Canadian accountants.
Organizations now have a fiduciary and, in many cases, legal obligation to keep clients' and employees' private information safe, and need comprehensive, top-down policies to ensure this.
"Given enough information, all breaches are preventable," says Nicholas Cheung, a chartered accountant and a director at CPA Canada. "The costs of reacting to breaches almost always exceeds the cost of preventing them."
Claudiu Popa, president and chief security officer at Informatica Corp., says data classification should be the foundation of any data security strategy. Highly sensitive information, such as credit card numbers, for example, are far more valuable to criminals than public relations contacts, and must be treated as such. "It's critical," says Mr. Popa, "because you can't protect all data to the highest degree."
Effective methods, such as data encryption, are expensive and cumbersome to implement, and most organizations can't afford to completely lock the door on their data. Still, it's essential for most to at least have data encryption capabilities, particularly on mobile devices, which are easily lost. "Everybody needs to know when they have to encrypt data, and how to do it properly," says Julie Thorpe, assistant professor at the University of Ontario Institute of Technology.
Employee education and training is another must. Many data thieves are experts at social manipulation, and employees should never give out sensitive information without proper verification.
Effective data security strategy is something of a cat and mouse game, as data thieves are constantly thinking up novel ways to undermine systems, and exploit the trust of others. Organizations must continually update their strategy if they want to keep up.
Fortunately, even projecting an image of security is a powerful deterrent. "Criminals, provided they are not ideologically driven, are fundamentally lazy, and they will go for an easier target," says Ian McPherson, a partner and national justice and security sector leader at KPMG. "They carry out their own risk assessments, just like organizations do."
A solid data security policy comes down to educational awareness, effective technological protection, and assertive governance.
Four points to keep in mind when formulating a data security strategy:
Many organizations are guilty of throwing data security over the wall to IT, or thinking the latest and greatest security software provides complete protection. Data security is a business issue, not just an IT one, and managers need to treat it as such.
Most data breaches are the result of human error: lax passwords, lost mobile devices or unwitting disclosure to a data thief. Even the best technology is no match for a well-educated work force.
Encrypt critical data
This is especially important on mobile devices, which are easily lost or stolen. Passwords can be broken, but decryption is a vastly more cumbersome process for data thieves.
Have a retention and destruction policy
Too often, organizations sit on large databases of outdated information, digital or otherwise. This has little to no value to the company, but is a treasure trove for data thieves.