When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes. If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.
When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on. Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.
To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.
Scenario:
A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets. The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure. However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders.
The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return. Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy).
When I analyze and investigate events like this, common root causes tend to include:
- Technician(s) failed to erase and document erasure as designed and provided in existing management system
- Management system failed to assign accountability of such events
- Technician(s) not properly trained or no documented training sessions found
- Routine audit of applicable work not practiced
- Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
- Inadequate managerial oversight or approval system in place for data destruction and return management
- Detailed processes and work flow procedures poorly documented or none in writing found
The client’s response to require on-site destruction of all media does not address any of the issues noted above. The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains.
Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive. This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).
Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel. In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed. Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.
As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders. When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset.