Memory Upgrade Time
Securing databases, servers, customer data... Have we forgotten anything?
February 2, 2007
2:35 PM -- Back in his days as a stand-up comedian, Steve Martin used to do a routine called "I forgot." "If you ever get into trouble," he advised, "just say, 'I forgot.' Like this: 'I forgot armed robbery was illegal.' "
Looking at some of Dark Reading's news stories of this week, I wonder if some IT people may be taking Martin's advice.
Take a look at our piece on why many enterprises' email is mistaken for spam. (See Seven Ways to Be Mistaken for a Spammer.) Why do companies get tagged as spammers? They forgot. They forgot to register unsubscribe requests in their mailing lists, forgot to update their customer databases, forgot about servers and desktops that are now being used as bots or pawns in a spam network. As a result, they end up with sullied reputations with spam filters that can be difficult to reverse.
Database security is also becoming a hot topic. (See Vendors Prep for Database Security War.) Why do more and more enterprises need third-party tools for monitoring database activity and access? They forgot. Many enterprises forget to track who has access to sensitive databases, either through overly broad privileges or shared passwords. In fact, database security tool vendors say that one of their first jobs is usually helping the enterprise to find all of its databases -- many companies maintain whole repositories that are largely unknown or forgotten by IT.
The massive loss of customer credit card data at retailer TJX Companies was back in the news this week. (See More Thefts From TJX Breach.) Why did TJX employees lose so much credit card information? They forgot. Retailers are supposed to purge credit card data after transactions have been completed, but TJX was still holding onto information from as far back as 2003. That little mistake could cost TJX thousands of customers, and it is definitely costing the banks whose credit cards were affected.
These are very different stories, but they all point to a common issue: IT departments sometimes forget, or ignore, important tasks that affect the security of their systems. In many cases, this is not surprising, because security is only one small part of what they do each day. A database administrator, for example, is much more concerned about adding new data than about securing what's already there. Marketing people are more concerned about adding new subscribers than about unsubscribing the old ones.
Yet, while "I forgot" may be an understandable excuse in some cases, it doesn't make security violations any less damaging. I'm sure somebody at TJX meant to get around to purging all of that old credit card data, but good intentions aren't going to get back all of the customers that the retailer may lose as a result of the breach. Likewise, end users who unsubscribe to a newsletter -- and then receive it again -- aren't going to accept "I forgot" as an excuse. They're going to label you as a spammer.
Bottom line: If you're a security manager, you not only have to be suspicious and tech-savvy, but also a pain in the ass. You have to remind users not to give out their passwords, remind top executives to include security in their product plans, remind IT people to update their servers and their access lists. You can't let them forget.
Because when it comes to data breaches, "I forgot" is no excuse.
— Tim Wilson, Site Editor, Dark Reading
Read more about:
2007You May Also Like