Do you know where your data is?

By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal, Oct. 30, 2015

Big data, sensitive data, data visualization. Data is the topic of countless stories, sales pitches, social media posts, blogs and videos, not to mention team meetings, marketing plans and budget discussions.

Here’s something else to think about: Protecting that data.

You may feel protected by expensive systems, firewalls, internal controls and the like. But how about the threat you haven’t counted on and shadow databases that are out of your control?

Shadow databases are data maintained by individuals outside of a centralized, shared system. It may be information that your IT department (if you have one) doesn't even know you have; or it could be data pulled out of an existing database so it can be worked on independently.

A report last week from Symantec focuses on the threat of sensitive data and proprietary content at risk of exposure - even at the largest businesses. And why is this the case? Two reasons: An unrealistic reliance on technology alone to protect it and authenticated users either unaware of the need to protect data or flouting those rules and procedures to make their work lives easier.

Think you aren’t vulnerable? Symantec calls data loss or “leakage” a “plague on enterprise-class organizations,” noting that “a lot of information is no longer secure; it’s on devices and in places the organization is unaware of.” And that’s the situation for large businesses with big staff, expensive technology and extensive internal controls. What about your small business, startup or nonprofit?

Employees take data home on laptops or USB drives, or, as was the case with CIA Director John Brennan, they email proprietary reports and information to their personal email so they can work on it outside the office. The Brennan hack, reported last week, was perpetrated by a self-described “stoner” who just wanted to show that he could. Reportedly no classified data was exposed (of course, you can read it all on WikiLeaks), but that doesn’t mean the information was any less sensitive. It included Social Security numbers of staff, draft policy reports, and detailed family information.

As businesses have moved to more mobile computing with laptops replacing desktops, and many employees authorized to use their own tablets or smartphones for work purposes, more and more data becomes “at risk.”

This month, Oklahoma University Medical Center announced that the health records of nearly 10,000 patients had potentially been compromised (including dates of birth, diagnoses, treatment recommendations, medical record numbers, doctors’ names) when a laptop owned by a former staff physician was stolen.  Practically, for the medical center, it doesn’t matter if the thief was after the data (unlikely) or the laptop (more likely). The information was lost, and 10,000 people had to be notified. That’s a hit for the university’s credibility and reputation.

Driving around with your laptop in the car is always a risk, but what about employees or nonprofit volunteers working on company information at home? Do you know if their home computers have up to date virus and malware protection? Is there a firewall on their home network? Turned on? Do they have kids using the same computer for gaming, downloading songs and video?

No one wants to discourage diligent employees who are willing to work on the weekends from taking initiative. But the USB they bring back and plug into the office network could have more on it than you bargained for.

And the risks aren’t limited to loss or hacking. An Accenture survey in 2007 found that 42 percent of respondents use incorrect information at least once a week and another 57 percent have to compile information from multiple databases to ensure accuracy. Forty-nine percent of managers responding said valuable information to their company was outside of the where it was intended to be. The result: Missed opportunities and lost customers.

The answer is not putting your business on lockdown. Shadow databases are the byproduct of generally well-meaning staff trying to get more done. Business systems are often not built with input from the staff that will use them. Business needs should include methods to enable secure sharing of information. Even some less expensive tools like Dropbox for Business can provide encrypted transfer of information for authenticated users working remotely.

Get a good handle on the situation at your business - not by vilifying employees, but by asking them and, most importantly, educating them about potentially risky behavior and offering workable alternatives.

Employees kept in the dark may inadvertently put your business or nonprofit at risk. Those who are educated and involved will protect it.  

Laura Haight is president of Portfolio, a proud member of the STOP. THINK. CONNECT. initiative of the National Cybersecurity Alliance. The alliance is the sponsor of October as National Cyber Security Awareness Month. Learn more.