Well over 6 weeks ago, the Office of the Chief Justice (OCJ), was broken into and 15 computers were stolen. Although the computers have yet to be recovered, it is rather the information stored on those machines that is of greater value than the actual computers themselves.
When the news of the theft at the OCJ first broke, my wife, in a private conversation, questioned whether the data stored on the computers had been stored in keeping with PoPI (Protection of Personal Information) guidelines. This got me thinking about how we store our personal information today and how businesses look after the data of their employees and clients alike.
Data is the new currency of our era. Nowadays there are buzz words such as big data, analytics, hacking and most recently ransomware. At the centre of all of this is information or data; it has become imperative that we guard our data jealously, because there are people out there that are intent on stealing it.
As an IT professional, the theft at the OCJ and ensuing hullabaloo was all about the personal information of the Justices and Magistrates and not the value of the physical computers that had been stolen. Here are a few unconfirmed deductions that I came to regarding said theft:
- At the very least the computers were probably secured with user names and passwords however, the hard drives were not encrypted with a software like BitLocker which now comes standard on Windows operating systems since Windows Vista.
- Files with sensitive data were being stored on local computers and not on a central file server.
- Highly sensitive data was being stored in unsecured files like Word and Excel documents instead of using a system with additional security features. At the very least password protecting the files impedes the thief’s access to the data.
In my opinion there are a few simple and inexpensive steps that could have been implemented to reduce the extent to which the data (from the theft) would have been compromised. If the primary motive for the theft of the computers was to get a hold of the data stored on the machines then whoever planned the heist went low tech to acquire the information.
Securing Your Data Against Theft
Some simple ways to ensure the security of your data are listed below. Computer and data theft is not limited to large companies or government departments. Regularly small businesses, schools and residences are targets of individuals or groupings that work to exploit gaps in data security.
Usernames and Passwords
Basic security dictates that this is a default for ensuring that your assets cannot be accessed by anyone. However, there are many people and businesses that do not bother with enabling this basic feature. In addition to enabling this basic security feature, ensure that you enable password complexity (i.e. a length of 7 characters, use of uppercase and lowercase characters, password history and password expiry every 30 days). In addition to that each user should have a unique username and password to gain access to a computer.
Encryption adds an additional layer of security to a computer requiring a key/password to gain access to the underlying data on the device. Even if the hard drive is slaved to another computer that data still cannot be accessed. As mentioned earlier all Windows operating systems (since Vista) now come with BitLocker.
Even if you are a small business consider storing files containing sensitive data on a file server and not on users’ local machines. Typically, with physical and virtual security around server infrastructure, the vigilance is at a considerably higher level in comparison to desktops and laptops. A centralised server can be located in the cloud or on your own premises. The advantages of using a server include backing up the data to another storage device, prevention of total loss of data in the event that desktops and laptops are stolen. More time can be spent in configuring and maintaining security measures as a risk mitigation measure.
Use of a System
Systems can be designed in such a way as to allow authorized users to access certain data. They also access the data on demand meaning that data is kept in a data store on a server somewhere. Only when you need the information can you retrieve it, use it and then close the system. Furthermore, additional security measures such as encrypting and salting certain fields in a database table can be used to enhance data protection.
The suggestions given here are by no means exhaustive and no single method will cover you completely. However, they will help you and your business to safeguard your data better.
At Code Cronie Innovations we can come into your business and do a risk assessment on possible areas where vulnerabilities can occur. We have a range of consulting and development services that can help to address the concerns highlighted in this article.