5 IT Security Horror Stories (and 5 Ways to Avoid Them)

Your business relies on the security of its networks, storage and mobile devices to protect personal information and corporate data. But often, the weakest link in a data security plan is the human element. While education and training can go a long way toward helping your employees keep devices and data safe, sometimes it’s up to technology to save the day.

Jaspreet Singh, CEO and Founder of data protection and governance company Druva, outlines five of the worst data security horror stories and explains how they could have been prevented.

Almost 70,000 laptops, smartphones and other mobile devices are lost every year at airports, in hotel rooms, in taxis, says Singh. The loss of personal and business information can be crippling and embarrassing, and can leave your company at risk for even greater theft and data loss, Singh says.

Obviously, you want your employees to understand the importance of keeping their devices with them at all time. But, in the event a loss or theft happens, technology can come to the rescue. With continuous synchronization and data backup, even if a device is lost or stolen, it can easily and quickly be reprovisioned on a new device. And with data loss protection (DLP) software, sensitive data and information can be wiped from the device remotely, significantly reducing the chance of a breach.

In a highly publicized incident, one large storage and archiving company was the victim of a massive data theft when a huge number of encrypted drives were stolen from a van transporting them to an off-site facility. Don’t think it could get worse? The van was unlocked and unattended, making the theft much easier.

The physical security of devices when in transport or in a storage facility is just as important as securing the data they contain. Make sure your off-site storage facility and the transportation method used to get your drives there are secure, and that staff is highly trained. You also should encrypt all the data and devices, which can mitigate risk in the event of a theft.

A physician at Lucile Packard Children’s Hospital at Stanford University reported that his hospital-issued laptop was stolen from his car, putting the information of about 57,000 patients at risk. While the computer was password-protected, it wasn’t immediately apparent what kind or how much data was on the computer.

Installing eDiscovery software could have helped more easily discern that, fortunately, the information on that laptop was years out of date, and didn’t contain any financial or personal identifying information. Of course, such a theft is still a concern, but could have been much worse, Singh says.

Bring Your Own Device offers employees flexibility and freedom, but can also put confidential information and proprietary business information at risk, Singh says. If users are accessing confidential files or personal information over unprotected wireless access (or, as previously stated, lose their device) your business could be at risk.

Education is one of the first lines of defense against this sort of breach, Singh says. Make sure your employees understand the risks and, if they can help it, that they aren’t supposed to access certain files or information using their devices. If a device is lost or stolen, DLP software can wipe a device and make it unusable for the thief.

For about 18 minutes in April 2010, about 15 percent of U.S. government Internet traffic was redirected through China, including traffic to and from the sites of the U.S. Army, Navy, Marine Corps, Air Force, the office of the Secretary of Defense, the Senate and NASA, Singh says. Though the Chinese government denied it, a major flaw was found in a government data center that could easily have been exploited to redirect traffic.

Singh says building in restricted user access could have prevented such an incident. By incorporating a blacklist and whitelist of authorized users, network administrators can control which users, which devices, and which specific IP addresses are permitted to access specific data, applications, and computing functions, he says.