Prairie Business Magazine reports on the data breach at the North Dakota University System that exposed almost 300,000 users' data. In addition to the sheer size of the breach, what makes it remarkable is that it was largely caused by miscommunication between IT employees.
As we explore what happened, we'll focus on how…
- Miscommunications between IT employees, contractors, and subcontractors can lead to oversights and breaches.
- A few weak security settings can expose an entire organization.
Human Error and Data Breaches: How to Prevent Miscommunication
Three employees were put on leave after each confessed that they had mistakenly assumed someone else was responsible for network security. The sloppiness at the NDUS was inexcusable – the university failed to have intrusion detection software in place – but if you've ever worked as a project manager, you know how easy it is for oversights to happen.
Coordinating organization-wide security is complicated. If you have three IT guys in a room, there will be at least four different opinions about the best way to secure a network. The challenge for an IT contractor or project manager is to coordinate with other contractors who bring different IT experience to the table.
As we pointed out in "What Developers Can Learn from Obamacare's Website Problems," similar issues plagued the rollout of Healthcare.gov. Though the site wasn't the victim of a data breach, its well-documented latency and functionality problems were largely due to the fact that different IT contractors built different parts of the website and didn’t coordinate properly.
Clearly defining tasks and assigning responsibilities is vital for any project manager. (Insurance for IT project managers can cover you for lawsuits over miscommunication errors that lead to data breaches, missed deadlines, and functionality issues.)
Weak Password Policy Leaves the Door Wide Open for Hackers
Though the full postmortem hasn't been completed yet, security officials at the North Dakota University System suspect that weak passwords on the system's servers may have contributed to the breach. It's one thing for a university to have low password standards for its users' accounts. It's another for the university to have weak passwords on its own servers. Ouch.
Strong passwords should be…
- A mix of letters, numbers, and symbols.
- A variety of uppercase and lowercase letters.
- At least eight characters in length.
When lax security occurs, heads will roll. That's just what happened in North Dakota as three of the top IT people were put on administrative leave. If these IT workers had been consultants rather than employees of the university system, they likely would have been sued.
3 Ways to Cover Cyber Liability and Manage IT Risk
Because IT contractors face the risk of a data breach lawsuit, let's look at some risk management strategies.
- Invest in third-party Cyber Liability Insurance. If your clients are hacked, you can be sued for damages. Errors and Omissions Insurance for IT professionals includes cyber liability coverage that pays for legal expenses when a client sues over your work. (For free quotes, submit an online insurance application.)
- Prioritize communication among contractors. You've heard the expression that the whole is more than the sum of its parts. But it's also true that the whole can be less than the sum of its parts if people aren't working together. Coordinating a large IT project can be fraught with errors if individual contractors don't organize their efforts.
- Educate your clients about proper password security and basic user security requirements. As an IT professional, there's only so much you can do. At a certain point, an organization's security depends on how its users (and not the network architects) behave on the network. Make sure to stress the importance that your clients follow the best practices.
Continue reading the TechInsurance cyber liability blog for more on the latest cyber threats and risk management techniques.