When we talk to end users about security, we usually focus on the confidentiality part of the CIA triad – probably because it’s the most visible part of information security. But, every now and then, there’s a news item that reminds us about integrity and availability. And today was one of those days.
The Washington Post is reporting that a server failure over the weekend has wiped out the master copies of data accumulated by Sidekick smartphone users. This includes address books, calendars, to-do lists and photos.
Here’s the text of the announcement from T-Mobile and the operators of the data service at fault – the Danger subsidiary of Microsoft – as posted on the T-Mobile website.
Regrettably, based on Microsoft/Danger’s latest recovery assessment of their systems, we must now inform you that personal information stored on your device — such as contacts, calendar entries, to-do lists or photos — that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger. That said, our teams continue to work around-the-clock in hopes of discovering some way to recover this information. However, the likelihood of a successful outcome is extremely low.
It would be easy to play on the fact that this is a service now (since their takeover of Danger) operated by Microsoft, or use it to fuel fears of data loss “in the cloud”. But I think that we – as security awareness educators – should use this opportunity to stress some of the more general lessons:
- Remind your students that information security is more than simply preventing information disclosure (failure of confidentiality). Losing access to vital data (failure of availability), or being unable to trust the accuracy of information (failure of integrity) are also, potentially very serious, problems.
- In this particular case, it’s likely that the lost data was mostly personal information (the Sidekick isn’t a common smartphone in businesses). But a similar problem with information stored on smartphones/PDAs used for business might have a much greater impact. Ask your students to think about what – if any – business data they might have on their cellphones/PDAs, and ask them to imagine how they would be able to continue to work should they lose that data.
- Review your IT, InfoSec, Electronic Communications and/or Acceptable Use Policies to see what restrictions are currently placed on the use of smartphones/PDAs for storing business information, and to see how you’re communicating this information to your staff so that they understand and remember it.
- Build reminders about availability and integrity failures into your program of monthly reminders (you do have this in place, don’t you?) and avoid too much focus on the ‘sexier’ issue of confidentiality breaches.
