Security alerts often go unnoticed by IT pros. Why?

In a time when data security is so important, how well does your company monitor who is accessing your data? My guess is not very well at all.

Even though corporate compliance laws such as HIPAA (http://www.hhs.gov/ocr/hipaa/) and Sarbanes-Oxley help keep data protection fresh on the minds of CIOs, there are still many reasons why our efforts have a long way to go.

A woman exits through the store's security gate and the alarm sounds. She pauses and looks around, but the store clerk resets the alarm without even checking her bags and returns to what he was doing. She then continues on her way.

How often does that scenario play out? Judging by my recent shopping excursions, I would say a lot. The security sensors at store entrances are basically worthless today. Why? Because employees assume the alarm is false like so many times before, or worse, they just don't have the time or care enough to follow-up on the alert. In a sense, they've become desensitised to the alarm. The mechanism is in place to cut down on theft, but maybe its best use is to simply serve as a deterrent for would-be thieves. Then again, maybe thieves know they can walk out without worrying about the consequences of a tripped alarm.

There are numerous parallels to be made with the average corporate IT shop and the above scenario. For instance, many warning signs buried in audit logs and system security events go unheeded or unnoticed by IT pros until it's too late. These "alerts" could prevent or thwart attempted data breaches if actively monitored and acted upon.

Let's take last year's high profile data breach cases at UCLA (http://news.com.com/UCLA+laptop+theft+exposes+ID+info/2100-1029_3-5230662.html) and Ohio University (http://news.com.com/2100-7349_3-6074739.html) as examples. The breaches put more than 1.1 million individuals' private personal data at risk. It was later discovered during the investigations that the systems had been actively compromised for more than a year - a full year of opportunities to stop the security breaches and prevent further data loss! Why were investigators able to trace event logs back a full year after the breach occurred, but the university IT staffs couldn't detect the intrusions while they were happening under their noses?

A popular reason cited for undetected data breaches, other than corporate security policy holes, is the sheer voluminous amount of audit data generated by multiple systems and the manpower needed to analyze it. Unless your company has a sizable IT department and budget, you may not have dedicated security analysts on staff. However, it should be pointed out that nearly all of the reported data breaches during the past year occurred on the grounds of companies plenty large enough to place the necessary resources on trustworthy security practices. They have no excuses.

Another reason for security mishaps is the fact that IT is still just a necessary vehicle for the rest of corporate America. IT serves as the conduit for business profitability but is still viewed as a hit on the bottom line - an expensive hit at that. Additionally, as IT budgets become leaner, more work is expected of an already taxed staff. Walk around your IT department and ask each pro how much time they spend chasing down data security events and reviewing audit logs. Unless they happen to be security analysts, you'll probably get an emphatic response that they have too many other duties and projects to tend to than to spend their time poring over security event logs.

A corporate culture change is what is needed to fix data security holes and the many reported data breaches today. The centerpiece of a company's security plan can not be Microsoft's monthly Hot Fix releases. It has to include sound security policies focused on limiting private data exposure and which also include data encryption and audit log monitoring. Anything less than a full commitment will not get the job done.