Coke’s Internal Data Breach
Last Friday, Coke announced that sensitive information belonging to roughly 70,000 current and former North American employees was compromised because the data hadn't been encrypted on company laptops (despite their company encryption policy.)1 The data breach occurred after a former worker stole several company laptops that locally stored employee information, such as social security and driver’s license numbers.
We’ve heard a lot about security breaches lately (Target and Neiman Marcus come to mind), but cases like Coke’s – a major breach of workers’ personal information – happen more than we realize. How can large and small companies alike learn from Coke’s recent internal breach? And what steps can we take to avoid ever experiencing an internal security breach ourselves?
The answer lies in the cloud. Simply put, cloud-stored data offers a highly secure alternative to locally-stored data. When sensitive information is no longer stored on devices that are regularly available to employees and the occasional passersby, the chances of that data being compromised drastically decreases. Cloud-stored data, generally speaking, can be accessed via remote devices over encrypted connections and do not require downloading to a local device. Local devices can enable data encryption, of course, and that certainly lowers theft and data breach risks, but by avoiding housing data locally altogether, consistent and thorough security can truly be maintained.
Another example of the perils of locally-stored data comes to mind right about now. One of the largest settlements for violating the Health Insurance Portability and Accountability Act (HIPAA) occurred when an Alaska Department of Health and Social Services employee left a portable hard drive containing the personal health information of thousands of patients in their car. It wasn’t long before the employee realized that the hard drive had been stolen. This security breach cost DHSS $1.7 million, and could have been entirely avoided if DHSS had stored its sensitive data off-premise and in the cloud.
Internal Security Measures
It may feel counterintuitive to move sensitive data farther away from you, in an effort to increase your internal security measures. But the fact is cloud hosting providers have extensive experience developing powerful safeguards and monitoring systems such as firewalls, intrusion protection systems, file integrity monitoring systems, encryption algorithms and virtual private networks. Given their decades of experience in managing large datacenters, cloud providers are well accustomed to properly disposing hard drives and backup devices. (In fact, secure data deconstruction has long been a crucial and appealing feature of cloud service providers.) Vulnerability scans serve as another crucial security asset offered by cloud providers, and allow organizations to detect disabled firewalls or any other potential security holes.
From vulnerability scans, to proper data destruction, to a central and secure ‘home’ for sensitive, internal data, cloud providers truly offer the utmost in security and can serve as trusted advisors for mitigating internal data breaches. Rather than joining the growing list of organizations, like Coke, who’ve had to overcome internal security breaches, lets all look to the cloud to maintain consistent and thorough security, both inside and out.
By Scott Walters, Director of Security at INetU
Scott is the Director of Security for hybrid-cloud hosting provider INetU and has been instrumental in shaping the Company’s client services department, which provides customer onboarding and lifecycle support. Under his tenure as director of client services, Walters expanded the department to meet customer needs as the company introduced new cloud products, enhanced service levels for enterprise customers and most recently released the robust INetU Security Suite.