CANADA COMPANIES NEED TO LOCK UP DATA ON COMPUTERS Technology - canada.comCompanies, lock up your data
Failure to have an 'incident response protocol' could cost a business a bundle if clients' information is stolen

Geof Wheelwright
Financial Post


June 17, 2005

REDMOND, Wash. - Does your company know what to do if someone breaks into its computer network and steals information? According to the security experts at Microsoft, you need an "incident response protocol" - and failure to have one can cost you.

While the world's largest software company regularly issues "patches" and security updates to the products it encourages all businesses to use, company officials suggest no-one should assume their systems are invulnerable just because they are current on security updates.

Jan Vandenbos, senior network security technologist at Microsoft, says developing an incident response protocol is a matter of defining what your company is supposed to do if someone breaks into its computer network and steals information.

He says that is one of a number of steps businesses need to take in order to lock down the data that is vital to their daily operations and comply with government regulations about information privacy and protection.

Failure to do so could cost the company a lot of money because a growing number of government regulations require that companies not only take all appropriate steps to ensure private information in their databases stays private, but that they be able to clearly and accurately track the movement of all information in and out of their businesses.

"If your major server is intruded upon, you need to know if you should unplug it or leave it plugged in to see who is connected," Mr. Vandenbos says.

"You need to do three things: preserve, document and notify."

Businesses need to be able to preserve all information about the state of the system at the time of the security breach, document what information was copied off the network and notify everyone who needs to know about it. In the United States, the latter can be time-consuming, expensive and embarrassing.

The provisions of the U.S. Health Insurance Portability and Accountability Act (HIPAA) provide for enormous fines if patient records are stolen from a computer network (what the act calls "unintended disclosure"). Mr. Vandenbos says fines can be as much as US$250,000 per patient record stolen. In addition, health care providers are required to immediately notify all those whose records have been compromised. Similarly, the Fair Credit Reporting Act requires that a high level of care is taken with consumer credit information.

In addition to having a plan to be able to document an attack and quickly be able to assess what information was stolen and notify those affected, Mr. Vandenbos warns companies also need to start thinking more about the types of attacks that could affect them. He says companies should think more about how to deal with "higher value, lower frequency" attacks, rather than those attacks that may be frequent, annoying and inconvenient but result in little or no information theft.

Amy Roberts, director of product management at Microsoft's Security Business & Technology Unit, says it's possible for businesses to apply traditional "total cost of ownership" criteria to the cost of security solutions -- and that they should do so as part of an overall risk-assessment strategy. She says a company with more sensitive and valuable data, such as health information or consumer credit data, may spend more on computer security than those who less vital information.

"It depends on an individual company's risk analysis," she says. "You need to look at how do you do security and take a look at the business drivers. If you live and breathe by your database, protecting that database will be very important."