Information everywhere is at risk.
Over the past few years, many commercial organizations and academic institutions have had sensitive information captured by individuals who can use this information for financial gain through identity theft, sale of institutional information and research, and many other malicious acts.
According to the ID Theft Resource Center statistics collected between 2006 and 2011, nearly 600 educational institutions experienced a data breach that potentially exposed information that could be used for identity theft purposes affecting over 9,400,000 individuals.
In recent studies, as much as eighty percent of these data breaches have not been the result of the failure of technology systems, but of human error. Often, such errors are the result of individuals who handle information not fully understanding the sensitivity of the information to which they have access, the legal requirements or the threats to that information.
With the growing identity theft risk, governmental agencies at both the federal and local levels have enacted numerous pieces of privacy legislation describing the level of protection that is required of all organizations that process information that could be used for identity theft purposes.
The primary causes:
Over 80% of organizations that experienced a data breach did so not because of technology inadequacy or failure, but because of human errors, such as...
- Not following procedures for protecting passwords
- Not knowing enough about the information (e.g., What pieces of information are sensitive? For what purposes may specific pieces of information be used? With whom may the information be shared? How must the information be protected?),
- Not being aware of security risks and countermeasures,
- Losing laptops and removable media, such as USB keys, CDs, DVDs, etc.
Our most important defense is awareness of the importance of our information, the threats to that information, and measures we can take to protect it. That's what our information security policy is all about.
Our responsibilities in protecting information
With over 80% of all information breaches being associated with human error, often related to individuals being tricked into giving out information inappropriately, it is critical that we each have a solid understanding of what protection we must afford the information that has been placed in our care.
We all are responsible for protecting every piece of information to which we have access in a manner that is consistent with the requirements defined by its Information Guardian.
This implies that we know:
- what department "owns" that information,
- for what purposes the information can be used,
- with whom the information can be shared,
- what level of protection is required,
- what departmental procedures are in place to protect that information;
and that we diligently prevent unauthorized individuals from gaining access to information by:
- maintaining strong passwords,
- being discerning when sharing information,
- following safe computing practices to protect your system against malicious activities.