St. Paul company focuses on data security.
By now, most companies know that data security is an important part of a business’s overall health. But most don’t know how high the stakes can be, or that they’ve gotten much higher since Sept. 11. Roger Hughes, owner of St. Paul-based Data Security Auditors, told us why data security is more important than ever.
Why did you start Data Security Auditors?
I’m one of the two founders, Chevas Mingo is the other. We have both been in the tech business for years, and we found that there is an inherent conflict of interest in that the people who do diagnosis or consulting for companies also sell software. We were frustrated when people came with a solution that included their company’s product–we wanted a company that had no affiliation with any product and that could render an independent assessment of data security without any hidden agenda.
How many employees do you have, and what is their training?
We only have six employees, but we have 125 independent auditors in the United States. Only a few of our audits require on-site presence. All of our employees have been in the tech business for 10 years and the data security business for five years.They all sign strict confidentiality agreements. Also, they have to undergo a criminal background check and an FBI background check.
What’s the most common source of damage to a company’s data security?
Externally, the greatest threat to a company is a false sense of security, thinking that they have a firewall and some sort of antivirus software and that’s enough. It’s not commonly known that McAfee and Norton are great for checking viruses, but often they can’t scan for Trojan horses or other hacking tools. Zombie software can be placed in a network and never be detected by these programs.
Under the new Patriot Act, if your company is hijacked by a terroristÑyour network, your Web site, whateverÑand that terrorist uses it somehow to attack a government agency or critical infrastructure, you personally can be charged with the crime of aiding and abetting a terrorist act. You can go to jail and get up to a $10,000 fine, or you can just get nailed with an injunction that shuts down your company for 90 days. And let’s not forget about the tort end of things. If somebody’s credit information gets hacked because you didn’t do your due diligence for data security, you personally can be sued for that.
Are most companies as safe as they can be?
Most of them are doing the best they can, but the problem is that IT project managers are in reaction mode. They don’t have time to be proactive for data security. I was a project manager for seven years, and I had as many as 22 projects I was accountable for at any given time. I was putting out fires every day, I didn’t have time to worry about firewalls or adding a DMZ.
We give companies five to 15 pages of prioritized action items, and it pays to take care of these things. We did an audit for a company’s Web site in Chicago, and found that a cracker could have duplicated every single credit card transaction and sent the information to a different site. The company had it fixed in less than an hour, and it saved them a lot of headaches downstream.
do you know a local company we should cover? Let us know about it. Send your local profile candidates to [email protected]