I, like other people who write about security issues, spend a lot of time talking about failures. We talk about hackers who break into networks, and the problem with effectively enforcing security policies. It's rare to come across a story where the security policies work - probably because success stories aren't as interesting or dramatic as failure stories.
Employees seem to be gaining more notoriety as a primary risk to business world security. As a Wall Street Journal article put it:
Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGard Availability Services.
Employees have more opportunities than ever to compromise company information. We not only screw up by clicking on emails from hackers that download viruses, letting them bypass corporate firewalls. We also open a Pandora's Box of security problems by circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.
And then there is the problem with employee-caused breaches. For example, a recent Ponemon Institute study found that data breaches in health care have increased by 32 percent. According to an eWeek article, the three primary reasons for this increase are lost or stolen equipment, third-party attacks and employee mistakes.
The Ponemon study did have a positive element, as the eWeek article stated:
Health care organizations are relying more on policies and procedures rather than forming an "ad hoc" response, according to the report. In the last year, the number of organizations that have sufficient policies has increased from 41 percent to 47 percent.
And this leads me back to my security success story that shows that having a policy in place works.
You may have heard that former Penn State University football coach, Joe Paterno, was diagnosed with lung cancer in November. He is being treated at the Hershey Medical Center. Now, I know that Paterno is in the news for reasons I won't get into here, but I suspect because of his stature in this part of the state, the hospital probably would have taken this step anyway. Officials at the hospital put Paterno's medical records under an audit to prevent leaks. According to the Harrisburg Patriot News, an employee was doing data entry work for the patient financial records office and allegedly accessed Paterno's records without permission or authorization. The employee was fired for the breach.
A policy was put into place and the policy worked. Is the Hershey Medical Center equally diligent with all their patient records? I don't know, but if they aren't, they should be. Famous (or infamous, as the case may be) people aren't the only target of a breach. Someone searching for information on an ex-significant other or someone making a careless mistake or someone who is flat out nosy is more likely to be responsible for a breach. Yet, this story might deter other employees from looking into records that they are authorized to access.
I saw the story about Hershey Medical Center before I saw the story on the Ponemon study. Even so, it was good to see a real-life situation that put some teeth to relying on procedures and policies. Here's hoping that 2012 has more success stories ... and fewer stories of security failures.