IN A PERFECT WORLD when you hand over your sensitive data to a company or person that you are enacting a financial transaction with, you are almost unconsciously believing that the information will be secured in every way. How often do you question the recipient of your data on how it will be protected?! We are getting more privacy savvy as consumers but when someone at a doctor's office or big box store asks for our social security number to complete a transaction, people generally deliver the number. When and if the company that has your data either moves locations or worse, goes out of business, you don't ever think about what they are doing with your data. You just think that is it securely destroyed and that's the end of it.
IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...
Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.
How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse
Al,
ReplyDeleteA though provoking article. In reality are normal people aware of such things? Probably not. People tend to believe and trust others who seem to friendly and warm with them and then pay the price. The question is to increase awareness and that will help in reducing such incidents.
regards,
Vaibhav
Thanks Vaibhav. What you say is true. That's why social engineering is so effective, and the hardest secuity threat to protect against.
ReplyDeleteAl
Hi Al,
ReplyDeleteInteresting article. I hear a lot about DLP, can you comment if you think this is the silver bullet for corporate america? My opinion is there are still gatekeepers (lets call in privileged users)that can access sensitve data regardless of these measures. These people scare me because we still have to revert to the "trust" model when all is said and done.
DGood question. And timely...I am considering DLP solutions now myself. In my opinion, DLP solutions are very helpful in telling you what you may not know - which is in some cases a lightyear's leap from your current position. FOr some company's, just knowing all of what is leaking from their environment is enough to know where to plug the holes in the dike. FOr other companies that do and must share data external to themselves, DLP helps them ensure appropriate access and uncover where it is unauthorized. But, as you allude, real and effective security is all about layers (including entitlement review of privileged access) and not just one big Roach Motel where data comes in, but can't get out.
ReplyDelete