Many organizations believe they have taken all steps necessary to eliminate the risk of a data breach. They often point to the organization’s deft IT team and tout the installation of some of the latest software solutions to protect sensitive data. However, some of these same organizations often fail to take some very basic steps to address the kind of low-hanging fruit that can help to prevent significant data breaches. Recent examples include:
An Internal Revenue Service employee potentially caused the Social Security numbers, names and addresses of 20,000 or so employees and contract workers to be accessible online when the employee took a thumb drive home from work and plugged it into the employee’s unsecure home network, as reported in Bloomberg. Also within the past week, the Metropolitan Transportation Authority notified some 15,000 MTA workers that their Social Security numbers and other personal information had been found on a CD inside a refurbished CD drive sold by a retailer, according to a report by the Wall Street Journal.
Safeguards that might have prevented these kinds of incidents include clearly written policies, regular employee training and reminders, and purging of mobile electronic devices before they are sold, donated or otherwise discarded. Of course, there are others and often these basic measures can be implemented with relatively little cost, and they are in many cases required by law. For example, a number of states have law mandating the proper of personally identifiable information, which would include information stored on electronic devices.