What You Can Learn From the VA’s Snafu

It’s one of the largest single thefts of personal data ever reported: On Monday, the U.S. Department of Veterans Affairs said that information on more than 26 million veterans was stolen from the home of an agency employee.

The data, stored on a laptop and external hard drive, included veterans’ names, birthdates and Social Security numbers, although VA officials said there wasn’t evidence that any of the data had been used to steal anyone’s identity.

Could such a massive security breach happen at your company? Absolutely, experts say.

“This isn’t an anomaly—laptops are lost or stolen all the time,” says John Livingston, CEO of Absolute Software, a Vancouver, Canada, firm that provides laptop recovery and tracking services. “The world is getting more portable and mobile, so the problem isn’t going away.” According to Safeware, a Columbus, Ohio-based company that sells insurance for laptops, about 600,000 portable computers are stolen each year in the U.S.

In fact, some are surprised that the wholesale loss or theft of high-value data doesn’t occur more frequently.

“Nobody should be surprised about this kind of thing,” says Rick LeVine, a senior manager in Accenture’s global security practice. “It’s going to take several high-profile incidents at Fortune 500 companies to cause people to say, ‘Oh, my God, one guy’s cell phone can lose us a billion dollars.'”

Here are two key tips from security experts on what companies should be doing to prevent data from unexpectedly walking out the front door.

1. Control data access at the source. Security watchers express amazement that a single individual at the Department of Veterans Affairs was able to access such a huge collection of data, much less carry it home with him.

“How does one person download a file with 26 million names?” says Charles Kolodgy, research director for secure content and threat management products at IDC. “There is no way that information should be available for laptop download.”

Alternatively, he says, audit controls need to be in place that can catch such a download.

The main steps involved in implementing a comprehensive access-control policy are taking stock of data assets and classifying the data by its importance and value to the business, says Gary McGraw, chief technology officer of Cigital, a software development and security consulting company in Dulles, Va. “You might be surprised how few people have a data inventory,” he says.

2. Protect data, not devices. Enforcing security policies is the best way to protect sensitive data, but technologies that encrypt data “at rest”—that is, data that is stored on a computing device—can also reduce the risk of a damaging security breach.

Accenture’s LeVine points out that it’s impractical to demand that company executives not be allowed to access data remotely, even though opening up that path increases the chances it will be lost or stolen. “You could say, ‘I don’t care who you are—you have to come in and work on a secure workstation,'” he says. “But the reality is, people want the freedom to work remotely, at the airport, wherever.”

IDC has identified a security market segment it calls “outbound content compliance,” which comprises software that prevents confidential information from being e-mailed, downloaded or otherwise removed from company machines. Vendors in this space, which IDC predicts will hit $1.9 billion in 2009, include Liquid Machines, Verdasys, Vericept and Microsoft, which sells Windows Rights Management Services for Windows Server 2003.

LeVine says that even the best companies are in catch-up mode in terms of putting these kinds of protections around data, mainly because other projects take precedence: “The I.T. or security guys would love to do this. They just can’t get the money.”

Click here to read more security tips and techniques from 5 industry experts and executives.