Keeping private data private: Sometimes, it’s harder than rocket science
In late December of last year, the news emerged that on October 23rd, NASA had discovered a data breach that may have exposed personal data (such as Social Security numbers) associated with current and former NASA employees.
How does such a thing happen? The folks at NASA are smart and hardworking; they know how to make systems about as bullet-proof and reliable as any ever devised, and they’re no pushovers about IT security, with a raft of published guidelines and requirements and a full-time staff.
And if anything, the private sector has lately been hit even harder, with more to come. Witness the (latest) “mother of all breaches.” The good news is that the trove of stolen information appears to be an old one. The bad? Even larger, similar data dumps are already on the way from the same source.
For data thieves, all the Earth’s a target
The problem is that keeping machines and data safe is in some ways harder than launching ships into space. The main challenge in data security for a high-profile government agency like NASA is the same as for retailers or financial providers.
There are determined adversaries constantly scanning for weaknesses—whether for bragging rights, to steal secrets, or to perpetrate some plain old identity theft. The cyber attackers going after NASA more than likely have their sights aimed not just on that agency but on any organization with exploitable security holes.
Keeping it secret, keeping it safe
If it can happen to NASA, it can happen to anyone. Want to avoid the same kind of embarrassing breach? Three big guidelines apply just as well to nearly any enterprise as they would have here:
- Control access tightly. Strong passwords, access restrictions by geographic location or time, periodic review of access privileges, and multi-factor authentication can all play a part.
- Encrypt the data. If data is sufficiently encrypted, unauthorized access is an annoyance rather than a disaster. Of course, you don’t want even the encrypted version to be stolen, but robbing thieves of its value is the next best outcome.
- Don’t store any more personal information than you need to. For all its staff’s skill, guarding data isn’t NASA’s primary mission, and it shouldn’t have to be. Is your enterprise stewarding Social Security numbers, medical information, or equivalently private data? The more information you discard as soon as is practical, or choose not to collect in the first place, the less you need to worry about safeguarding.
Data security is never perfect—but if information is collected with restraint, carefully guarded, and made unusable to a thief, you may never need to apologize to employees or customers for a loss.