Sunday, March 11, 2007

Identity Theft, Portable Drives and IT Responsibility

I've been thinking recently about how much responsibility IT Managers should assume. True, it seems that every day there is another "issue" which arises for SMBs (small to medium businesses) in which information technology has a role. Disparate systems converge. Silos of information need to be managed. Whether it's real-time monitoring of machines in the factory, implementation of VoIP telephony, deployment of biometric time-and-attendance systems, coordination of video and audio resources, or automation of physical security systems, the IT manager constantly has his or her domain of responsibilities increasing. Not bad if all you care about is expanding an empire. But a little intimidating if all you get is an ever-expanding job description with no pay raise.

My take on this is simple. It comes with the territory. Expansion of the domain of IT responsibilities is inevitable. The only feasible approach is be proactive and realize that management tools will emerge to fill the vacuum. But the expansion of responsibilities is also part of the challenge of being an IT manager and one of its truly fascinating opportunities. Each day presents a chance to know a little more about a technology which was previously slightly mysterious and which will now be managed.

Here's a case in point. I'm hoping readers will jump in with other examples and differences of opinion.

We've all witnessed an explosion of portable drive technology in the last few years. We've also seen, almost daily, news stories about identity theft and the exposure of private information. One recent example in Canada was the theft of customer information from Winners and HomeSense (through computer information systems belonging to their parent company TJX Cos in the United States). Another example was the loss of a computer with about half a million Talvest Mutual Funds client accounts from CIBC. In the United States, the Veterans Administration was breached with a loss of up to 1.85 million records.

Whether the losses occurred through computer theft, hacking systems, or plain, old user stupidity, they all involve questions of the extent of IT manager responsibility. If you are constantly looking over your shoulder worried about losing your job, then it is highly likely that you will want to limit your responsibilities and divest yourself of whatever you can. If, however, you are fortunate enough to feel relatively secure in your job and are motivated primarily by the challenge of solving problems, then you will be thinking about how to mitigate risks and exposure. Those differences in attitude are, in my view, huge. Anything you can do to get into the mindset of solving problems with technology rather than limiting personal exposure is guaranteed to improve your job satisfaction.

One small thing IT managers in SMBs can do in 2007 to mitigate identity theft specifically and data theft generally is to implement fingerprint biometrics or multi-factor authentication wherever possible. Start small with portable drives. Ensuring that these units are standardized in your company and that they are reasonably secure will reduce your exposure.

I come from a large family with several siblings working in the IT sector. We've recently discussed in our family e-group all the differing smart/thumb drives and portable drives we are using. It quickly became apparent to me that if we can have this much diversity in a family, how much more can we expect among users in our companies?

Standardizing on a fingerprint biometric flash memory drive (I've seen a few Microsoft IT Pro advisors with these units) is the first step. iQBio has a variety of units that are worth considering. The 2GB ClipBio "flip clip" is both weatherproof and fingerprint biometric enabled. Up to ten fingerprints can be enrolled per device. By ensuring only specific devices for portable storage are allowed in the company, you can mitigate risk of theft slightly.

Migrating to Windows Vista and implementing Group Policies to block unwanted devices while selectively enabling others would also mitigate risk. But the added benefit here is that you can actually boost performance on those Vista systems with ReadyBoost technology. The idea is that USB flash drives can be used to give the memory on your system a boost thereby enabling memory-intensive GUI features.

I'm sure readers will have other opportunities in mind for mitigating data theft exposure. But my overall point remains. Embrace the challenge, protect your company's information assets, and make management slightly easier through standardization and group policy implementation.

No comments: