In this episode of Beneficial Intelligence, I discuss accidental publication. There are two ways organizations lose data: Through break-ins and through carelessness. It is hard to protect your systems against determined hackers, but it should not be hard to protect yourself against carelessness. Strangely, this is just as big a source of data leaks as determined hacker attacks.
Some accidental losses are the result of individual failures to follow procedures. The British MI6 is famous for losing classified laptops in taxis and having them stolen from unattended cars. In Denmark, the health authorities produced two unencrypted CD-ROMs with data on every Danish citizen and their illnesses. They were accidentally sent to the Chinese embassy instead of the national statistics authority.
Other losses happen because organizations are accidentally publishing data to the entire world. By now, every tech journalist who sees a ?id=48375 in a web address will try to change the number to something else. That's how the State of California accidentally published information about all donations Californians made to NGOs and political organizations.
Another way is through badly secured APIs. A 19-year old college student shopping for student loans found he could check whether he qualified for a loan by simply entering his name, address, and date of birth. Looking at the web page source, he quickly discovered that the website was calling an unsecured API at credit scoring company Experian.
As a CIO or CTO, you can no longer allow the security strategy of your IT organization to depend on a lack of IT skills in the general public. Are you sure every system your organization rolls out has been subject to a security review? If not, you might be the next organization to find that you have accidentally published confidential data.
Beneficial Intelligence is a weekly podcast with stories and pragmatic advice for CIOs, CTOs, and other IT leaders. To get in touch, please contact me at [email protected]