Johannesburg, 23 Apr 2014
There is, unfortunately, no argument that the need for data risk mitigation is on the rise across the world. For example, the mail you have just received includes a new card from your credit card company, but there is no real information other than 'your information might have been at risk, and to prevent theft, we have issued you a new card'.
Credit card companies certainly do not like to admit when they have been victims of a cyber attack and there has been a breach of their sensitive data, thus, often in these cases, the company issues the new cards with no real explanation. However, you can be assured there is a vested interest in making sure this situation never happens again, let alone the need to restore consumer confidence. Data risk mitigation and data masking are now office buzz words, and have become key components of data governance and database administration.
For the last several years, the theft of personally identifiable information (PII) has been on the rise. More than one in four Americans have had their personal information lost or stolen but it is not only individuals who are at risk. Since 2005, the Privacy Rights Clearinghouse has chronicled reported breaches of client, patient, and employee data (including credit card numbers, identity numbers, birth dates, etc), intellectual property and other important records exposed through such things as loss, theft and hacking. This is why data risk mitigation is a crucial consideration in a company's business planning efforts.
Consider the following cases where data has been compromised, and how they might relate to you or your company:
* In 2007, a laptop containing employee names, social security numbers and salary information was stolen from an office at a popular US university.
* In 2008, more than 300 000 member names, social security numbers, and other personal information were contained on a laptop that was stolen from a well-known insurance firm.
* In 2009, more than 130 million credit card and debit card numbers were stolen in a data breach involving three different corporations.
* In 2010, 250 000 members of a former US presidential administration had personal information, including Social Security numbers, compromised after a hard drive containing confidential material disappeared.
* In 2011, a desktop computer was stolen from Sutter Health, exposing 3.3 million names, addresses, birth dates, phone numbers, e-mail addresses, medical record numbers and insurance plan names.
* In 2012, the theft of an unencrypted laptop of a home monitoring company's employee exposed 100 000 names, Social Security numbers, addresses, and diagnostic data
* In 2013, an employee at UW Medicine opened an e-mail attachment that contained malicious software in early October. The malware affected the employee's computer containing 90 000 patient names, addresses, Social Security, phone, and medical record numbers.
"These are just a few examples from the USA illustrating why it is imperative to protect sensitive data wherever it resides," commented Chris Anderson, Managing Director of SPI. "Basic security practices should be followed to ensure the protection of data at multiple points of entry, control and exit when considering best practices that relate to data risk mitigation.
"Companies must guarantee that their information systems are not an open target, and they must protect the data in appropriate ways throughout its (data management) life cycle," continued Anderson. "It was the latter, data-centric protection requirements that prompted IRI to develop protections specifically for personally-identifying information in files and databases, and for this reason, IRI developed FieldShield to secure data at risk down to the field level.
"FieldShield offers users a choice, for each field, of AES, GPG, or other encryption libraries, data-masking (eg, rendering a credit card number unreadable except the last four digits) and de-identification (eg, separating or pseudonymysing sensitive information in medical records), hashing and so on; up to 12 different functional categories of protection," concluded Anderson. "These functions can be applied to large, structured flat file formats, as well as ODBC-connected RDBMS columns, in support of applications and platforms typically found in data warehousing and platform migration environments. FieldShield's granular security functions, and automatic XML job (audit) logs, help organisations comply with both internal and government privacy regulations."
SPI is the African distributor for utility software products and services to the open systems segment of the IT industry and the sole sub-Saharan Africa distributor for USA-based Innovative Routines (IRI), the provider of FieldShield, a data masking tool, and RowGen, a test data generator.
For further information, please contact Chris Anderson at tel. (+27) 11 234 1560; fax (+27) 11 234 1387; e-mail chris@spi.co.za.
Share