The Institute of Electrical and Electronics Engineers (IEEE), one of the leading standards-making organisations, suffered the consequences of some sub-par data security practices this week as it emerged that 100,000 member usernames and passwords were found in plain text on a FTP server. A (luckily) well-intentioned researcher demonstrated that, once again, the need for better data protection measures at the server level had failed to be addressed. This incident in particular displayed two significant issues: firstly the IEEE didn’t consider the type of data being processed and logged by members, and secondly it implemented no restrictions over who could access it.
Negotiating the minefield of effective data protection begins with enterprises reviewing their approach to what constitutes ‘sensitive data’. The process of data discovery and classification is an arduous and typically manual process, but it is essential to figure out what to protect. You don’t want to secure family photos that somehow ended up in the same folder alongside the company secret recipe for next-generation gizmos. Following that comes the necessity to address where that data is allowed to reside within the organisation, and subsequently taking the appropriate and necessary measures to keep it safe. Here encryption and key management with separation of duties comes into play. With data-protection watchdogs like the UK’s Information Commissioner’s Office scrutinising things more closely, not to mention delivering sizeable fines to organisations guilty of negligence, enterprises can avoid future grief by scrutinizing their own data and securing the sensitive bits.