I guess I’m not finished writing about information security after my post about University of Oklahoma researchers losing years of cancer research data on a stolen laptop.
I got pointed back to the topic when I learned that there was another stolen laptop incident in New Orleans, at Tulane University. The details are these. While the university closed for the Christmas holiday, a staffer in the human resources shop thought he would get some work done on the W-2 forms necessary to produce for each of the more than 10,000 people employed by Tulane. Fine. He brought home the records on a laptop. The records were unencrypted. Uh-oh. The employee left the laptop in his car and went out of town. Uhhhhh-oh. The laptop was stolen. Now records including Social Security numbers, salaries, and other information that is classified as confidential by the university are in the hands of the thief.
There are obvious lessons to be learned, and obvious mistakes here. I’m not going to go into those. They should be self-evident.
But here’s where I am going: as organizations, you need to ensure that your employees are (a) aware, and (b) trained to act on, the sensitivity of your data.
I’ve worked at two post-secondary institutions, and there was very little talk of IT security. One opportunity to refresh my education was when Canada introduced the Personal Information and Protection of Electronic Documents Act (known to normal humans as PIPEDA). That required some extensive training for anyone with access to the database program our fundraisers used (which I had, subject to limits). But overall, I’d wager that this is how things are at most organizations:
So if I’m right, why aren’t employees more sensitive to these issues? Because there’s plenty of information out there suggesting that this is a BIG problem. One 2009 report for Dell by Ponemon showed that three-quarters of IT directors surveyed knew of a case in which their organization’s data had been put at risk because of a lost laptop (not even COUNTING all the other IT threats). Another Ponemon survey showed that nearly 4 in 10 data breaches occur because of lost or stolen laptops or mobile devices. That same study pegs the cost per record of stolen data at over $200US. (If that math works for Tulane, that’s a cost of two million bucks.)
So what’s to be done?
I’d bet that most organizations have IT security policies in place. Tulane has one. I’ve read it. All 14,000 words of it.
I’ve found countless other ones like it for universities, colleges, and other institutions and organizations.
It it reasonable to think that a 14,000 word policy is going to be regularly read — even by the IT staff or the HR staff? I don’t think so. I’d suggest that organizations of all shapes and sizes need to bring some resources to bear to make their employees far more cognizant of the risks to the organization and to themselves of sloppy data security.
If communicators are going to be counsel to their organizations, they should be scanning the horizons for threats. This su
re as hell is one. And I think that we communicators ought to lead it, rather than wait for the IT or HR staff to come to us.