- Confidential information on 4,500 students was posted on a publicly-accessible area of a university's Web site for months, resulting in life-long exposure of personal information.
How would your organization handle these situations? Do you have procedures in place to respond rather than react? Do key people involved understand their roles and their responsibilities? Does management realize that most states have breach notification laws, requiring businesses to contact customers when a breach has occurred or is suspected?
Security incidents can result from technical weaknesses in computer system configurations and poorly-written Web applications. Operational weaknesses, such as improper system maintenance, lack of training and poor change management are worthy contributors as well. The reality is you have to look beyond recovering from physical disasters. Rather than computer system attacks being an afterthought, they have to be considered in advance.
If there is one thing that can be changed to improve this situation over time it is to get - and keep - management involved. Help them understand the issues, relate how security incidents will impact the business, and - most importantly - show that reasonable risk management can only be achieved by planning ahead. As with most things in business, you have to think long-term.
Kevin Beaver is an independent information security consultant, author, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored seven books on information security including the brand new "Hacking for Dummies,3rd edition" and "The Practical Guide to HIPAA Privacy and Security Compliance." He is also the creator of the Security On Wheels information security audio books and blog. For contact info and links to his blog and Twitter account, visit www.principlelogic.com.