Network Monitoring and Encryption Were Lacking in Canadian Breach
The recent experience of the provincial government of Ontario demonstrates the importance of two technologies sometimes neglected by SMBs: network monitoring and encryption. Greg Essensa, the province's Chief Electoral Office issued a statement on July 17 revealing that information about voters in about 20% of Ontario's electoral districts had been compromised. At fault was the practice of transferring data on unencrypted USB drives. According to Essensa, two such drives have gone missing. The potential scope of the breach is huge, encompassing data of about nearly 2.5 million individual Canadians.
Breach Incident Explained
Although strong encryption on the USB drives would have made the breach far less serious, a closer examination of Election Ontario's story reveals a need for other IT solutions as well. Data was being transferred via external USB drives because some of the laptop computers used by election office workers were not connected to the central network for the organization. Network monitoring, therefore, could have gone a long way toward remedying the situation that caused the breach to occur in the first place.
The data on the drives includes personal information supplied by voters to Elections Ontario and consists of data points such as names, addresses, and dates of birth. The USB drives also indicate if a particular individual in fact voted in the provincial election that took place last October. The exact vote cast, however, is not indicated.
Essensa also revealed that standard IT risk management procedures were not being followed in this case. Any USB keys containing personal data are supposed to be not only encrypted, but also protected with a password.
Small Business Implications
Although Elections Ontario is an organization much larger than the typical North American SMB, its experience is still illustrative. Like Elections Ontario, many small businesses have written policies that are sometimes not followed in actual practice. Encryption is an essential technology that must not be neglected no matter the size of the organization.
Voters, of course, have very little consumer choice regarding elections, so in one sense it matters relatively little if Elections Ontario ends up with a black eye in the press. The same is not true for small businesses, whose good name may be their number one business asset. Such businesses need to make sure that their customer’s data is protected by encryption without fail. The best way to do this is to transition to a managed programs model for IT support so that networks can be monitored 24/7/365 and encryption can take place automatically as data is created and stored.