About a month ago, Stephen Wynkoop was talking about a survey that Network World did about data theft. I saw some more interesting numbers on that today with an article on Network World. Here is the gist of what I have read up to this date.
945 people were polled. (They had been laid off, fired, or quit)
Now out of this poll the article claims that out of the people who felt negatively about the company, 61% of them stole data. I cannot tell you how disturbed I was by this number but it does raise some questions. The biggest one was the statement about people who felt negatively about the company. How many people polled felt negative? If only 100 people polled felt negativity toward the company, than that means 61 were angry enough to steal data.
I love statistics but I also prefer that they share the raw numbers. There also appears to be another report by the Ponemon Institute LLC that has very similar numbers. The Ponemon Institute LLC report statistic that I wanted to point out is that 20% of people who stole data were in IT.
So you can surf the web and read the newsletters, but have you known of data theft occurring and do you know how this has happened?
About 15 years ago I worked for a company that was a pretty small company; it was pulling in about 13 million in revenue a year with very little work sitting behind it (a whole different story). The CFO of the company called me one day and said he wanted a report of all our customers. He wanted the address, phone numbers and basically any data we had on them. I refused to give the data and to be honest I don’t know why. I was young and never saw what was coming, but I did refuse. Within 10 minutes, I had the president of the company in my office letting me know that the CFO had to have that information and it was not my job to question or refuse. I turned the data over and I felt like a real jerk. Not only did I upset the user (CFO) but the president as well.
I wish the story ended there. I wish I could say that I did not live to regret not standing up for what I believe in. I truly wish that what happened next didn’t happen, but it did. The President called me into his office not a month later and let me know that the CFO was no longer with the company. I was to shut down all his accounts and make sure that we recovered his laptop. I did as I was told. What I was told next floored me. I was informed that the former CFO had taken all the data that I had given him and proceeded on starting an identical company. His first order of business was to solicit all the customers that we had. It ended up that within 1 month he made approximately 1.3 million dollars. Not only was there the damage that our data was comprised, but now our whole customer list had been solicited. Why would those people come back?
I wish that the example that I gave you was a false one but the sad truth is that it isn’t. It is 100% true. The hard part about this for me is that I did not stick to my guns. I believe it is my job to protect the company and the data. I should have stood my Junior DBA butt up and said that this was not necessary and that I would be more than happy to run any numbers for him that he wanted. Would that have been out of line? Maybe. Would it have ever been recognized as a mark that saved the company a million dollars? No. But what it would have done is saved me from having to admit that at one point in my career I was ordered to release sensitive data and I did it. I can put excuses all around it and make it look pretty but my job as a DBA is to protect the data.
I can assure you that I will never make that mistake again.
If a soldier is ordered to hurt a civilian in the midst of a war, I can assure you that not only would the person giving the order be in trouble, but so would the solider. Well DBA’s, put on your flack helmet… we are at war. Every day people are trying to access your data and every day people are trying to get the data that you need or that you want. It is your job to pony up and stand up for what you know is right. I use to have a DBA that worked for me years later and his philosophy was that his job was to protect the data not only from the people who choose to do it harm, but from those who intend it no harm as well.
Look at your mailbox. How many times a year do you get the letter from the bank that you use or the credit card company that you have a credit card from, that says something along the lines of “we regret to inform you that your data has been compromised” ? They are never that direct of course and they are never going to tell you what happened, but all you have to do is Google “data theft” and you will find literally thousands of cases. It was not until the last few years that companies were required to let you know, as a consumer, what happened. This is not an article on Identity Theft, this is an article to inform you that we are the cause. Sure, maybe we didn’t steal the data, maybe we didn’t even grant the permissions, but it is our job as DBA’s to make sure that data goes nowhere but to the place that it is intended.
SQL Server 2005 introduced the ability to put a database on removable media. I was super excited to see this come about as it meant that I can now create a database on my thumb drive and go from conference to conference and have the same databases to use for demos. But the more I thought about it, the more I asked myself how dangerous can that be? Think of it this way, an mp3 player is now very commonplace to see in the work place. What if that mp3 player was a gun? If it were a gun you would call security, you would warn your co-workers and you would call the police. Now I am not suggesting that is what you do if you see an mp3 player, but that simple mp3 player can be just as dangerous to the data you protect. Do you think I am crazy?
If you are a DBA, walk over to a desk and go to one of the users of your company. Take your favorite mp3 player and your USB cable. Ask the user to connect to the database for you. Poke around and see how much data you can see. Try to see if there is something that you can use, something as simple as your customers’ names and addresses. Create an excel worksheet, create an access database and connect using the credentials that are used on that machine. Save that file to your mp3 player. If they have SQL Server installed and not just the client tools, you can put it right into an .mdf, run a detach and walk away. Now take this data to your CTO and let them know what you have and how you got it. Now delete it.
I am not trying to promote stealing data but in fact I want you to be aware of how easy it is. There are very few companies that protect themselves to the point that they really should. As far as I am concerned, we are at a threat level and that threat level is RED. We are under attack from not only the outside world but from inside the company as well.
I actually had a director tell me once not to worry about the developers, how they can have an ‘sa access’ because we trust them. I was told by the exact same person that I needed to learn how to trust people. This person now works as a data architect for a public company. This same company went through 3 layoffs periods during the time that I was there. If you look at that 61% number and they laid off about 300 people over the course of a few months, I think their customer base has something to worry about. If you look at the exercise that I described above, would anyone even know that the data had been comprised?
I hate to mention this again but if you are a DBA, make no mistake about it, we are under attack. The economy has shown us that we have more layoffs coming. The best way to prove data theft occurs and protection is of the utmost importance, and expressing this issue to your management, is by making sure that your personal information is in the database. Maybe the President’s information in the database will help to get the point across? You need to protect your data and you need to know who has access to what information. We need to act as if we are the police and we are here to protect and serve.
I hope in this short article that you can see that I am willing to share my mistakes so that others don’t make them. Please take time to rate this article, and if you have information along the same lines, please share it. I think it’s important to note that before we can fix the mistakes that we make, everyone should be aware that there is a problem or a mistake. How can we win a war that many don’t even know we are fighting?
