This morning, the Chronicle reported a data breach at Indiana that was a result of a file copied to the wrong folder. It included data affecting 146,000 students – BAM! The kicker was that the file had been sitting there for “nearly a year” and nobody realized it. This type of breach needs to be distinguished from the “hacker” type, such as what happened to the University of Maryland last week. The Indiana breach was not the result of some nefarious Balkan state teenager spending days hacking into the university network. It was a mistake by an employee that went unnoticed. It’s easy to do. With so many cubby-holes for data, our desire to accommodate our customers can quickly turn against us by slowly creating risk sprawl that becomes increasingly hard to manage. Or worse, we give employees access control, and then they unintentionally create a hole.
It’s easy to blame the employee – he/she put the file there and should’ve known better. But is IT also to blame? It sat there for a year. Why didn’t we catch it? We constantly walk a line providing greater control over data to our users while trying to ensure as much security as possible. Our users usually think we are being difficult when we swing the “security stick”, which causes us to be more liberal, which increases our risk. I worry about cyberattacks, but at least have some control over my destiny in this type of situation. But employee mistakes, which constitute the vast majority of security incidents at TAMU recently, keep me awake at night wondering if I’ll get fired because of someone else’s mistake.
With the increased complexity of IT’s services comes a greater risk of security holes and inadvertent employee mistakes. At the end of the day, it really doesn’t matter what the post-mortem reveals as the cause of death. We’re dead either way. Are we our own worst enemy?
