With the 2011 Verizon Business Data Breach Investigation Report and breach after breach after breach recently in the news, you might be thinking that information security is all about malevolent actors right now. The "black hats" seem to have become very good at targeting, infiltrating, and extracting valued data from desirable targets.
An article yesterday by Ellen Messmer at Network World spotlights another important issue in information security today: business partners sharing information insecurely. At Lutheran Life Communities (LLC), when they installed Palisade Data Loss Prevention (DLP) systems , it was found that business partners were transmitting personal health information (PHI) insecurely to LLC. LLC has chosen a practical response by warning business partners of the problem.
In my experience, this is not an isolated problem. In the past, the DLP vendor community has highlighted the "insider problem" where employees -- usually just trying to do their jobs -- end up using poor business practices and cause frequent exposures of personal financial information (PFI) and/or personal health information, the two most highly-regulated types of personal identifying information (PII). However, in numerous DLP installations I've observed, I have seen data inbound into organizations containing PFI and PHI violations, such as unwary customers sending credit card information in unsecured email messages into companies to request purchases. I have also seen medical facilities where PHI was unexpectedly being transferred insecurely in and out of the organization, just as LLC noted in Ellen's article.
We have become aware of the risks of data loss. Governments have begun enforcing data protection requirements. We have developed policies and tools that have significantly raised the standards for protecting confidential information. Let's put these tools and policies to good use.