Another week, another data security problem hits the headlines. It’s the same old story, human error results in the “misplacement” of a piece of technology (disk, USB stick etc) but the easiest way to deal with it seems to be to blame the technology and chase after that as the source of the problem.
The thing for me is, that people have been leaving important things on trains since Mr Stephenson stepped off the Rocket and said “Welcome to the Age of Steam, now where did I leave my umbrella?” so why is it now that we find ourselves in a world where the the humble USB key finds itself transported from “friend of the networkingly challenged” to Satan’s portable storage device?
The problem of course (beyond our own inability to deal with the implied human failure) is that we don’t have a sufficiently granular way of dealing with information risk. We simply don’t have access to pervasive, infallible technology solution that on a file by file basis, enables us to protect data that is sensitive while leaving less important data alone.
As a result, organisations and Enterprises face a binary choice in deciding how to prevent this from happening again (which is often made even worse when they are reeling from the headlines and embarrassment of another data loss). They can secure everything or secure nothing – it’s the only option they feel they have. Guess which one they choose?
I’ve worked with organisations who have an outright ban on portable storage devices, some even go so far as to glue up the USB ports on their PC’s. Let me tell you these are not organisations from the Security, Defence or Intelligence sectors, these are regular Enterprises just like yours.
Don’t get me wrong, I don’t blame them for doing this, but it’s a bit of a sledgehammer for what is essentially a walnut. The technology vendors have a big part to play in this, as do the various Governments and legislators that care about encryption standards, but importantly, the real challenge lies with you, dear reader, and it is one of data classification. There doesn’t seem to be much point in having a pervasive, granular data security solution if you don’t know which bits of your data are sensitive and which aren’t.
So what are you doing about it in your own organisations? Easy for me to say I know, but trust me, I know how big a deal this is. I know it’s a mammoth task and involves getting the “business” to agree on a classification schema (and sometimes for some hard truth that their “sensitive” data really isn’t all that important) but no matter how arduous or tortuous the route, you have to take it if you want to be that agile, innovative organisation you always wanted to be.
Ignore this and you might as well breakout the Araldite ™ and get cracking…