Darth Reed

Now that I have a place to put my quasi-technical babble over at MSDN, the space is reserved for me to spew my political bile and enjoy all things sci-fi. Heh.

Saturday, September 17, 2005

Data security in the small.

Pop Quiz: Does your kid's child care facility use encryption to store the personal information that they keep on file about your family members?

Like most small businesses, I'll bet they don't.

Does the public school system do any better at protecting your family's data?

So, what do you do when you find out that the computers at your kid's child care facility or school have been stolen? Worry? Yell? Sue? Wonder? Watch your kids like a hawk? What do you do when it happens with no disclosure and you DON'T find out??

This isn't a hypothetical question for Darth Reed. This actually happened a couple days ago to the child care facility at our health club (who shall remain nameless for the moment). The details are sketchy, but it smells like an inside job to me. But who stole the PCs (and the data on them)? Punks who wanted higher performance toys? Junkies that needed some quick cash? Pedophiles who wanted the pictures of the kids, their addresses and the work out schedules of the parents?

You see, we don't know exactly what was stored besides pictures of us and our kids, our membership numbers and other basics. Were those things stored locally? On a network server? Were they encrypted with a meaningful level of complexity? Do you know who is keeping what information about you, where, why and with what level of protection around it?

At my last place of entertainment, we used no encryption whatsoever, despite warnings by the development staff, because in the immortal words of the former CEO, "Nobody has ever fraudulently purchased a home on behalf of someone else." They completely ignore (to this day, as far as I know) the fact that the personal appointment calendars of both customers and REALTORs® (which homes they have and will see and when -- along with notes about their preferences and impressions of the properties), the financial profile of each individual who was interested in buying a home and lots of private contact information like cell phone numbers and mortgage tracking documents were stored in the system. At best, a highly motivated seller with that data could hold out for a much higher price if she knew that the buyer was willing and able to spend more. At worst, a stalker could meet the prospect at an out of the way, unoccupied home for an illicit rendezvous that the prospect wouldn't appreciate at exactly the time scheduled on the customer's calendar. But, of course, executive management didn't believe that encryption and better security (like SSL certificates!) was worth the cost.

You may not have thought about it this way (I didn't until just recently), but there are more important data points in your life to protect than your credit card numbers... Your bank and credit card balances are insured, but no amount of insurance can really replace your wife and kids.

We software developers have got to STOP letting ignorant business people and miserly project sponsors skip over the simple but important bits of data security and start building our applications with some better self-protection.

Strike first!!


Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home