Where are the presidential candidates on data protection?
Disaster recovery planning standards need to be more of a national security preoccupation.
By Craig Gunderson Special to the Press Herald
LEWISTON — In addition to pneumonia and “birther narratives,” data breaches have played a major role in this year’s presidential campaign.
The release of confidential emails that were hacked led to the resignation of Debbie Wasserman Schultz as Democratic National Committee chair. Earlier this summer, the National Security Agency was embarrassed to discover that some of their elite codes used to crack firewalls and other tools were hacked. And recently, Yahoo confirmed that as many as 500 million Yahoo accounts may have been hacked in 2014.
With technology so ubiquitous – particularly in the form of wireless communication, smartphones and social media – coupled with the electronic transfer of funds, medical records and personal information, we are more vulnerable than ever to having our personal information stolen.
According to IdentityForce, a leading provider of identity and credit protection, just over 17 million people in the United States over 16 years old were victims of at least one incident of identity theft in 2014. Every hour in the U.S., there are nearly 2,000 identity theft incidents.
Businesses certainly know the risks of compromised data. The Cryptolocker virus is a type of ransomware that looks like legitimate software, but takes advantage of vulnerabilities in outdated software, particularly Microsoft Windows.
Cryptolocker can enter a company’s network through several pathways, including emails with infected attachments, malicious websites and fake downloads.
Our presidential candidates are largely mum on cybersecurity, identity theft and data defense. Here is information they should consider regarding the three most common data disasters:
• Human error: Security breaches and identity theft often succeed not because of criminal brilliance, but because of human negligence and sloppiness. Verizon’s 2015 Data Breach Investigations Report found that 29 percent of data security incidents occur through “miscellaneous errors,” making that the top cause. For instance, this spring, an employee who was leaving a job with the Federal Deposit Insurance Corp. accidentally downloaded 44,000 customer records onto a personal device.
Like the FDIC employee, most workers at Maine companies aren’t technology experts, and they make mistakes. We see it all the time. Customers accidentally delete important files, download malware-infected applications or leave their mobile devices at the coffee shop, risking the loss of mission-critical data.
Educating employees about technology best practices goes a long way toward reducing the risk of human error. Our public health agency has done a tremendous job educating the public about the importance of washing hands in restrooms to avoid spreading disease. We need to direct that same energy toward educating people on data protection best practices.
• Ransomware: In 2015, the FBI’s Internet Crime Complaint Center received 2,453 reports of ransomware attacks costing a total of $1.6 million. The number of attacks had doubled from those reported in 2014.
The best protection against ransomware includes being able to restore data as close to the time of attack as possible. That’s where data backup comes into play, and the 3-2-1 rule for companies and institutions: three copies of data, two different storage media and one copy off site.
• Downtime and disaster recovery: Customers today expect 100 percent uptime and 24/7 availability from their banks, hospitals and online retailers. If businesses aren’t available to serve customers at their convenience, they will go elsewhere.
Not only does downtime damage a company’s reputation, but it can cripple it financially. Gartner estimates the average expense of network downtime to be $5,600 per minute or $300,000 per hour. IBM and the Ponemon Institute found that the average cost of data loss in 2016 was $4 million. Each lost record costs a company anywhere from $158 to $355.
Businesses need to create a solid disaster recovery plan, or hire a consultant who can help consider solutions including co-location (housing servers and/or backup data off site with a third-party vendor).
A disaster recovery plan, with clear data backup and recovery protocols and consideration of an offsite data center and firewall as a service provider, is priceless insurance that mitigates risk. And just as important, disaster recovery plans need to be tested regularly. It does little good to have a disaster recovery plan if it hasn’t been dusted off in three years, or the new guy knows nothing about it.
Though real progress has been made in this area, disaster recovery planning standards need to be more of a national security preoccupation.
Data is the lifeblood of organizations, and its security is a growing concern for consumers. Protecting data – personal, societal and commercial – needs to be a concern for our presidential candidates as well, and a prominent national security issue.