Analyze This.

When I read this article in the Trinidad Express, “Analyzing the TSTT Data Breach“, I shook my head a bit. It’s all much simpler than what was written down, citing Daniel Smith.

Protecting user information in a business is simple and doesn’t require couching in robust academic terms because it comes out smelling like something you might wish to put on a flower bed.

Keep. It. Simple.

It’s 6 very basic steps.

  1. Create a business list of what data you need in your system.
  2. Have a data policy as to who can access what (tiered).
  3. Inventory what you have in your systems.
  4. Get rid of what you don’t need.
  5. Lock and/or encrypt what you have.
  6. Have plans for dealing with any security incidents.

Any company dealing in user data should be doing these steps. They are not difficult, but people can make them complicated and those people are a large part of the problem.

TSTT Data Breach Context.

Step 1: In the context of the TSTT data breach, I have yet to hear any reason why TSTT needed scanned identifications, business registrations, and for all I know the latest DNA samples from Ancestry.com. I can go to a police station in Trinidad and Tobago and have a constable look at my driver’s permit, who then writes down the particulars, but somehow TSTT (and banks for that matter) need a constant deluge of copies of user identification?

I find it hard to believe that there’s a need for that in the systems that connect to anything other than a shredder and incinerator, but I could be wrong. I would like to know if I am and for what reasons, but I could be wrong.

Step 2: Who in TSTT needs access to documents, identification, etc? Which documents do they need to access? So you create the tiered access.

Step 3: What are you missing for your business requirements? Develop plans for that, and make sure it fits in with that tiered access level.

Step 4: You’re likely to find rubbish in all the data that has been needlessly stored over the years, particularly with steps (1) and (2) done. Destroy it. Shred it. Burn it with fire. You don’t want the liability, if a Data Protection Act ever surfaces. That Data Protection Act be something a Minister of Public Information and Digital Transformation could champion.

Step 5: Encrypt personal information of your customers if it must be accessible on any network. It’s not hard. Most content management systems can handle that pretty easily.

Step 6: With the above steps done, a bad actor would have to get past all those hurdles and that makes the company much more defensible should it happen. What’s more, since there’s no extraneous data, you should be able to point directly at why you needed the information stored on a network in the first place.

6 steps. That’s it.

Any CTO should be able to handle that. I’ve seen it properly done by high school graduates. I’ve seen it improperly done by college graduates. Once you care about your customer’s privacy, and once you are concerned about liability, things become extremely clear.

Leave a Reply

Your email address will not be published. Required fields are marked *