Security’s weakest links

Not a month has gone by in 2005 without a far-reaching computer security breach making the nightly news hour. Headliners compelled to walk the plank of shame include Bank of America — the nation’s second-largest bank — Ameritrade, Polo Ralph Lauren, and LexisNexis.

Going, going, gone are the days when gross security breaches can be shielded from public scrutiny. The California Security Breach Information Act, for example, requires state agencies and businesses that collect personal information from Californians to promptly disclose certain security lapses or face severe penalties. Is it out of bounds to call it a sad state of affairs when politicians have to move in to protect what sterling IT outfits can’t seem to stay on top of?

The speed the situation improves will depend largely upon how much IT can watch and learn from the mistakes of others. In the spirit of minimizing your company’s risk and sparing you the awkwardness of pulling executives aside to darken their day, here are a few of the nastier moments in this year’s computer security journal, and expert advice on what you have to do to get a better night’s sleep.

Encrypt your data for backup

At press time neither Bank of America nor Ameritrade could account for data backup tapes that recently went missing while being shipped to data storage-and-recovery facilities.

Bank of America fessed up that tapes containing customer and account information of nearly 1.2 million federal workers went missing in February. “A small number of computer data tapes were lost during shipment to a backup datacenter” via commercial airliner, a bank spokeswoman said. She added that there was no evidence the tapes have been misused and that the tapes are presumed lost. Bank officials would not say whether the data on the tapes was encrypted. Interestingly, the California data security law exempts companies from having to notify customers of a data loss if the data lost is encrypted.

Click for larger view.

Ameritrade had a similar tale to tell in April. The company informed more than 200,000 clients nationwide that their private account information was on four data backup tapes missing from a box damaged during shipment between two secure facilities in Salt Lake City. Officials there likewise said they have no indication that client information was compromised by thieves. They did, however, divulge that the data on its tapes was not encrypted, but that it was compressed and would be difficult to extract.

Security experts are at no loss to step in with some simple advice: Encrypt your data when backing it up.

Mark Loveless, a senior security analyst at BindView, a provider of IT security and directory management software, has questions about the missing Bank of American tapes. “Was the information encrypted? The answer is ‘probably not,’ because most backup tapes are not encrypted.” A recent survey by Enterprise Strategy Group bears out his assertion: A staggering 60 percent of storage professionals said they never encrypt backup tapes; only 7 percent said they do so routinely; the rest said they do so occasionally or don’t know one way or the other.