Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Have You Left It Unlocked with The Keys In?

Have You Left It Unlocked with The Keys In?

If you were placed in charge of your boss’ Ferrari, you’d make damn sure you knew where the keys were at all times. If anyone asked to so much as look at the car, you’d be on edge and watching them closely. You’d make sure it was always somewhere safe. You wouldn’t leave the keys in the staff canteen unguarded, and you certainly wouldn’t let the new hire in the sales team take it out for a ‘spin’ with his friends. Obvious – right?

So, why do we do this with our data? The implications of an ill-advised move of a sensitive file or a rogue, opportunistic, over-privileged employee copying sensitive data to an unsecure location are huge. Yet, according to our research, only 1/3 of all mid-market organizations track or monitor user behaviour or access rights around their most critical asset – their data. Why still do so few organizations have a defined approach to governing access and monitoring their sensitive data?

Do We Need a Mantra to Make Data More Tangible?

I think the problem is one of tangibility. In its essence, data isn’t tangible – it doesn’t ‘feel’ valuable. It’s the same reason people run up debts on credit cards; if you put it on the ‘card’ it doesn’t feel like real money. The challenge that is faced by those interested in protecting data is similar to one the DVD industry faced a few years back. Once film streaming became popular, there was no physical product to assign value to. Their response to this was an anti-privacy public service announcement:

You wouldn’t steal a car,
You wouldn’t steal a handbag,
You wouldn’t steal a television,
You wouldn’t steal a movie.
Downloading pirated films is stealing,
Stealing is against the law,
PIRACY, IT’S A CRIME.

Perhaps there should be a variation of this for those wanting to educate employees about data security. I definitely think there is a lot more the data security industry can do to help their customers raise awareness of this issue. We must help our customers communicate the message that ‘data IS the business.’ Data holds incredible value, it must be treated with the same regard we would ‘hard cash’!

Back to the Future

In many ways, it seems a lot of organizations have lost respect for their data. Before we can move forward in protecting our data, we probably need to take a few steps back. We should think back to how we used to secure our data – i.e. with heavy security, closely guarded access, locked filing cabinets and other physical measures. How can we better replicate this level of security in the digital world? This is the key question we should be asking.

Admit You’ve Got a Problem

Our research tells us that a majority (at least 2/3) of organizations have issues with abuse of privilege; employees storing, moving or interacting with their sensitive data inappropriately. Our experience and research also tell us that it’s usually those organizations that initially deny they have a problem that turn out to have the biggest ones. Like any bad habit, the key to breaking it is to admit you’ve got a problem.

Light on Policy, Heavy on Intent

Often, it’s not a problem of a lack of policy – it’s a problem of too much policy, poorly communicated or enforced. If the policy is buried in a lengthy handbook (which no-one ever reads), the ideas that you want your employees to embrace will be lost. The ideas surrounding what it takes to keep your organization’s most critical assets secure will simply not stick, and you’ll be no better off than if you had no policy at all. The best policies are the ones that contain a clear statement of intent, that are easy to understand and are embraced from the top down. The intent then must become a part of the corporate culture – throughout ALL Departments. It’s not just an IT problem.

A possible statement of intent may look something like this:

Our business is all about the data we collect and share. At all times we need to know where our data is, who has access to it and KNOW it is being handled responsibly. We need treat data as if it were cash.

A Plan Built on Questions, Not Products – Avoiding the Hype

Sometimes, information security failures aren’t a result of a lack of effort. We’ve engaged with organizations that were spending tens, sometimes even hundreds of thousands of dollars investing in their security technology yet were still unable to answer fundamental questions as to what was happening with their data. Often the issue is that many of these ‘products’ are so overly complicated that they become unusable.

That’s why we’re here. At the heart of our story is your data – and the security and compliance questions that surround it. We believe IT security should start with questions, not features. Whenever we’re talking to organizations as part of our discovery process, we work our way through a scenario and a series of fundamental, seemingly obvious questions to determine how much they know about the scale of their data security problem.

Would you like to know more about the kind of questions we ask?

Click here to read How Would Your Organization Fare if Faced with This Data Security Issue?