Theft of Veterans Data Shows Security Policy Gap

Opinion: IT execs need to make security a priority; user behavior is more important than product choice.

Now that the personal electronic information of 26.5 million military veterans has been stolen, it is time to revisit my column, "Lundquists Guide to Not Getting Fired for Losing Your Laptop," which I wrote in March. I followed that one up with a look at port security after the L.A. Times did an article on security breaches in Afghanistan involving stolen USB devices.

The theft of the vets data sets a new record, I believe, for names and data lost by poor data management on a laptop. (There has been at least one bigger potential theft, according to a New York Times chart, but that was a hack into a credit card management company.)

In the IT community, such data losses result in consternation over how much sensitive data is still traveling unfettered and unwatched on laptops and USB devices, or available for an easy download over a fast Internet connection.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Why do these losses continue to happen? Is there simply a lot less common sense among executives and analysts than there should be?

I dont know about common sense, but I do know that traveling about with large amounts of data simply becomes a lot easier as data transfer speeds increase and disk storage becomes limitless. While 26.5 million names, Social Security numbers and other data sounds like a lot, that database of information certainly contains a lot less data than that DVD of Star Wars.

The day after the theft of the vets data took place, I was having a morning cup of coffee with two IT execs who are part of our Corporate Partner program. Their advice for other IT execs? Polices and procedures precede products in data security.

The coolest encryption appliance wont do you any good if you dont know what needs to be encrypted. The hard work of writing a policy and the harder work of continuing to monitor and enforce that policy are what makes data protection plans work.

Sorry, there is no quick fix to this problem, but it is an issue that should be at the top of your technology agenda.

eWEEK magazine editor in chief Eric Lundquist can be reached at [email protected]

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.