Love Thunderbird! Thanks for the introduction. Just wish it had a calendar (probably does and I don’t know about it…yet). This class has been a fabulous experience for me in discovering new applications!
 |
| Original work by author |
In keeping with the class assignment, the search for security breach incidents turned out to be a breeze. It happens with regularity apparently. Often they highly publicized, but not always. One such (highly publicized) incident involved BP. By all news accounts, a BP employee who had personal information associated with approximately 13,000 claimants of the Deepwater Horizon oil spill lost the computer. According to NPR, the computer was password protected, but the data was not encrypted, so names, addresses, social security numbers, and probably faces in some cases, have been compromised.
In today’s highly technical environment where personal information flies through cyberspace with the mere click of a few buttons and not a second’s thought, a company the size of BP should be on the cutting edge of cryptography. I would suppose that they do not send their proprietary secrets across unprotected cyber pathways, but rather use highly evolved methods to ensure secrecy. So, distributing laptop computers without encryption to their mobile representatives, who are handling large amounts of highly confidential and personal information, is a bit careless.
From a personal experience, the company where I am employed deals with a high volume of information that should be protected far better than it is. For example, we own protected information stored in a database where access privileges are assigned and managed by the direct supervisor of the location employees. To make matters worse, the employees at location may or may not be our own employees; therefore, there is absolutely no control over whether or not access to that data base is terminated when it should be, or otherwise effectively managed. We have had the experience where a disgruntled, clerk level employee “wiped out” the information stored for that location. The laws applicable in the state of incident required that notification be sent to all victims (since we didn't know what else this person did with the info) informing them that their personal information had been jeopardized, and recourse opportunities were made available. In addition, because of our unique business model where our customer employees are as important, and sometimes more important, than our own employees to the performance of our contractual commitments to our customers, we routinely grant them access to our company intranet and other critical areas and we have no policies or procedures in place to control and manage that access as personnel profiles change. We are only now developing them, and all new laptops purchased include encryption capabilities, but we are not a new company. We have grown to 1500 employees across the US and Puerto Rico. We are far behind where we should be…in my opinion (which is no secret, by the way).
Unfortunately, security is often a virtual afterthought, as is demonstrated in the examples documented above. Many others were available. As a matter of fact, during the week of the due date for this assignment, another highly publicized incident occurred involving a leading marketing services company, Epsilon.
Without the business dedication to a highly advanced technology department with a focus on security, you end up with situations such as these. The good news is that it doesn’t have to be that way. We can no longer, nor do we have to, rely on the simple and original transposition and substitution techniques, with pen and ink, to ensure protection from an illiterate population. Click on the wikipedia link for the history of encryption. Times have changed.
According to ehow.com, two protocol standards of encryption are symmetric-key and public key. eHow states that symmetric-key is highly sophisticated technology based on the Advanced Encryption Standard (AES), which applies a 256 code algorithm to encrypt data. Under this encryption method, the encryption code possibilities are so numerous that breaking the code poses a daunting task. In the secure email exercise, which only took about an hour to complete in its entirety, we used the public key technology by installing digital certificates to exchange encrypted emails. Digital certificates are issued by certificate authorities who use the certificate code to verify the identity of computers exchanging information. In both cases, both the sending computer and the receiving computer must be “certified” to complete the data exchange.
Laptops and other technological devices (smart phones, notebooks, etc.) that store information intended to be held secret are lost and stolen all the time. In business, utilizing these devices is essential, but utilizing the appropriate protection tools is a matter of good corporate responsibility to the stakeholders. Because the volume of data influences the appropriate method to use, the business application for encryption is much more complex than our email exercise, but this should not be an inhibiting factor. It is the way of the world – has been since the concept of secrecy originated – whenever that was. The fact is, we have to keep up. It is critical to sustainability: stakeholders will steer clear of any business with known data breach issues.
The FBI has a fabulous website, and I’ve included a link to their “Be Crime Smart” page. The internet is a wonderful thing, but as with anything, there’s the good, the bad and the ugly. Be informed!
