Real-World Horror Stories Show Why Data Security Is So Hard

Corner-office executives, IT pros and other so-called knowledge workers are supposed to be pretty smart, right? Dare we say trustworthy. Unfortunately, they are the leakiest of vessels when it comes to protecting sensitive company information.

Some employees maliciously spirit away data before leaving a company, while others absent-mindedly put data at risk by storing files on mobile devices that become lost or stolen or falling for phishing scams.

CIOs are to blame, too. More than a few companies still don't have a Bring Your Own Device (BYOD) user policy, enforce a governance policy, or require data encryption on mobile devices.

The end result of all this negligence: horror stories.

[Related: The BYOD Mobile Security Threat Is Real]

Take, for example, the nun nurses at financially strapped Daughters of Charity Health System in Silicon Valley. They're some of the worst offenders, falling prey to the online scam of helping a Nigerian prince in return for a big payday. No, they're not looking to become rich.

"The nuns want to use the money to help more of the sick and poor," Michael Day, vice president of information technology and strategy at Daughters of Charity, told me at a recent tech event in San Francisco.

On a more nefarious note, a survey of IT pros attending the 2014 RSA Conference found that nearly one out of five still had access to the IT systems of their most recent previous employer. Some had access to the systems of their previous two employers.

A stolen laptop can seriously expose a company. A couple of years ago, a contractor for Howard University Hospital lost a laptop with medical records of more than 34,000 patients. Last fall, a stolen unencrypted laptop from Santa Clara Valley Medical Center exposed medical records of 250,000 patients.

[Related: Coca-Cola Suffers Data Breach After Employee 'Borrows' 55 Laptops]

Average cost of recovering from a data breach is $7.2 million," says Jaspreet Singh, founder and CEO of Druva, an endpoint data protection company. "Requiring that data on devices is encrypted is an inexpensive way to reduce the risk of data breach."

Attorneys are some of the biggest users of rogue Dropbox accounts, storing sensitive documents there, a CIO told At another law firm, Dowling Aaron, CIO Darin Adcock had to institute strict BYOD measures to keep his company safe, earning him the nickname "Big Brother."

"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," Adcock told last year.

Data loss can do more than just harm a company. In the summer of 2011, an Oklahoma University researcher's laptop was stolen from her car, containing years of research on prostate cancer. The professor had not backed up the laptop's data. Gartner estimates 28 percent of corporate data is stored only on endpoint devices.

"There's a misconception that endpoint devices don't contain critical data, yet increasingly this is where data lives," Singh says.

[Related: Most Data Breaches Caused by Human Error, System Glitches]

In today's Wild West mobile, BYOD and cloud frontier, real-world stories of data loss continue to make headlines -- not to mention the plethora of security slip-ups that fall under the radar and out of public view. Making matters worse, there seems to be growing worker apathy toward BYOD and mobile security.

All of this means everyone from CEOs to knowledge workers must turn apathy into diligence, and CIOs need to install technology and enact policies that keep their companies safe.

"By not having or enforcing a governance policy that controls access to data and systems, especially after an employee leaves, organizations open themselves up to the possibility of a major breach," Singh says.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at

Read more about byod in CIO's BYOD Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Consumerization of IT | BYODdata securityIT managementcloud computinginternetdata protectionconsumerization of ITBYODcorporate datadata breachessecurityCloud

More about AppleBrother International (Aust)DropboxFacebookGartnerGoogleRSAWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts