After my last blog (CIO To Do List – The Challenge of Protecting Sensitive Data), we surveyed several CIOs on their management of test data. What we found is that many of those we talked do not seem to appreciate the immense risk that test data taken from live databases could fall into the wrong hands and reveal competitive secrets to competitors and others, severely damaging their organization’s position in the marketplace.
The initial response of most CIOs we contacted is that they are aware of the danger of test data exposing sensitive information, and their staff is doing an adequate job of protecting that data. However, when asked what data they consider sensitive, few mention competitive information. And none of them were able to explain how their staff monitor test processes to ensure security and privacy of sensitive data. And they had no answer to the question of how they ensure their IT staff doesn’t misuse their data access privileges.
The focus of almost everyone contacted is on the legal implications of losing Social Security or credit card numbers and similar personal identity information of their customers. Of course these issues have been almost constantly in the news for several years, and companies and government agencies have gotten black eyes when someone gets careless with a laptop holding parts of their customer database. As a result, most CIOs seem to think that all they have to do is mask a few key fields in their test databases and end up masking few sensitive fields. This might meet specific legal requirements, but it does nothing to protect vital competitive secrets.
However, when asked about competitive information such as bill of materials, price lists, or discounts, almost all agreed that they were not doing enough to address the security of this data. What bothers me most is that most of those we talked don’t seem to realize that the loss of this information can damage their businesses at least as much as the loss of a customer database. And this information is commonly included in test databases. Imagine your company going into a competitive bid against a competitor who knows exactly how much of a discount you will offer the customer. And that is just one scenario. A leak of employee information could let a competitor raid your company for its top producers; manufacturing methodologies could be very valuable to a foreign competitor who wants to raid your markets; drug discovery information can be worth hundreds of millions of dollars. The list goes on. You could be losing vital information, putting company at a serious disadvantage in the marketplace, and have no way to figure out what was lost, what its business value is, or where the leak is. In fact, few companies even have systems in place to monitor how test data is used, who handles it, and whether and under what conditions it is shared with vendors and outside contractors.
And in some cases the exposure may reach far beyond the test data itself, into the heart of the company. If the test data comes from a system that is integrated with the corporate ERP, CRM, or financial solution, it could conceivably contain the security keys supporting that connection. If so, it could become an open door into those systems that any competent competitor could use either to extract copies of production data or, worse, to introduce false data.
And the risk is not just that outsiders such as vendors may get this data. Who watches the internal IT people who have access to this data? For instance, test data extracted from corporate HR could easily give IT employees – and employees of contractors who often also have unrestricted access to test databases – accesses to information that should not be allowed out of HR. Yes the names are redacted, but that doesn’t even begin to answer the security issues involved. Just the rumors that could start – that have started from this one scenario – are the stuff of nightmares.
The bottom line: The data security problem involved with test data is immense; few organizations appreciate the magnitude of the problem; and masking a few fields in production data does not even begin to address the problem. This is a comprehensive data security issue.
As a result, we are announcing a Data Privacy pack for Oracle applications starting at $25K. This provides a comprehensive solution that can extend to multiple environments at a starting price point. We firmly believe that CIOs need to address the test data security issue immediately and that this product will put them far ahead at a low cost in both money and time.