This has been a huge year for data breach news – some of it was the "strange but true" variety. For example, take the recent story posted on Sophos's data security site Naked Security. Apparently, one Canadian man is holding Ernst & Young ransom, claiming he has old computers and devices that have private information like social insurance numbers stored on the hard drives.
Mark Morris alleges to have bought used servers from E&Y in 2006 after the company acquired a smaller firm he had contracted with. From there, the story gets pretty kooky.
Morris says he has loads of data, but won't show screenshots of it. He claims that he has contacted black market data thieves who are willing to purchase the data for $1.2 million dollars. He's offered to dispose of the data for E&Y, but wants to be paid handsomely for it. His going rate: $1,500 a day to delete the data. He contends the work will take many days.
This story, though absolutely bizarre, provides some important reminders about securing old devices, proper disposal methods, and how old IT jobs can come back to haunt you. Let's explore what you can learn from Ernst & Young's data security headache.
Lessons from Ernst & Young's Data Debacle
This bizarre circumstance may be the wackiest data breach story of the year (sorry, 5-year-old who hacked Microsoft). While everything about Morris's story is strange, it offers some important reminders for IT consultants:
- Criminals want your data. Some small-business owners don't realize how valuable their data is. It doesn't matter how much money your business makes because the data itself can be worth thousands (or millions) on the black market. Customer records, SSNs, and other protected information can be sold with relative ease in secret online forums, which means cyber criminals can make money from a data breach regardless of how big or small the hacked company is.
- Businesses overlook the importance of securing their devices. A surprising amount of data breaches occur because a device is stolen or a business doesn't properly dispose of old computers. In the Ponemon Institute's 2014 Cost of Data Breach survey, breaches that involved lost or stolen devices actually cost 11 percent more than the average breach. Make sure your clients don't overlook their physical security.
- Data management is a key part of security. Who gets access to data? Who can store data on their devices? Those are two key questions that should always be kept in the forefront of an IT professional's mind. If employees are allowed to store protected data on their personal devices, it could expose your client to serious risk. Because laptops, iPhones, and other portable devices are easy to steal, it's crucial for IT consultants to limit data access to only the most secure environments.
- Data breaches can come from a mistake you made years ago. This breach involves servers that were sold eight years ago. The first smartphones were just rolling out back then. IT professionals can get burned by work they did long ago. This is one of the reasons it's important to have continuous Errors & Omissions Insurance. E&O can cover mistakes that occurred during the life of the policy. As long as you keep your coverage current, you could have years' worth of protection. But as soon as you let your policy lapse, you could lose coverage for all the work you did before then. The takeaway: get covered, and stay covered.
If you'd like to learn more about E&O and how much it costs for IT consultants, see our sample insurance quotes for IT businesses of different sizes and specialties.