The subject of Data Breach, and potential for subsequent harm, is never far from any serious “business” or “IT” mind. Breaches happen with dismaying regularity. Not a week goes by without an attack and subsequent access to the most sophisticated environments: DataBreaches.net provides a sobering appreciation – and it’s not even a comprehensive list.
Of course, the other side of the coin is Security. In that realm, often overlooked is any organization’s inside liabilities, opening a wide risk for exposure and bad outcomes. Most often, these liabilities involve lack of user education/qualification, resultant avenues of risk, and ensuing human error. But there is yet further inside liability that the organization cannot afford to overlook.
First, let’s consider: Inside the circle of elements the organization controls, education and mitigation of human error is relatively easy. Notice I said “relatively” easy. It’s not inherently easy; it’s simply easier relative to other more nefarious “inside” things: Things that are hidden – often until it’s too late.
What nefarious potential does any organization face?
All Organizations face possible deliberate, malicious, attack and exposure from the inside.
Disgruntled workers provide for much harm. There have already been incidents of blogging, internet posts to news articles, and e-mail blasts, which have had adverse effects on companies and allied reputations.
Too, there is a small matter of temptation: Companies harbor all manner of sensitive data about partners and customers. Ripe for attack and exploitation is identity information, credit card data, and intellectual property. Therefore, companies that focus almost exclusively on perimeter defenses, such as firewalls and intrusion detections (as most do) are overlooking the internal threat – often posed by people who have authorized access to extremely powerful data: DBAs, systems administrators, network engineers/managers, solutions partners, consultants, contractors… even partners.
As stated before: True security begins with awareness. And – security is sustained through constant vigilance and update.
But consider the low-tech/no-tech liabilities from inside employees and elements, too: Ruminations at end-of-work Happy Hour can have extraordinary consequences. An unhappy co-worker can mention critical details of work; anyone who overhears, even from outside the company, can Twitter, Facebook, or otherwise blast the details to an extraordinary circle of friends and followers, and suddenly – there’s a problem.
What of discussions involving sensitive client data? Many companies harbor critical patent pending information: Here, a little thing called Obligation of Confidentiality provides for total control: Details simply cannot leak under any circumstances.
Today, policies must be up-to-date (indeed, “up to the minute” may not be much hyperbole here), and employees must receive quarterly counsel, at a minimum, regarding liabilities in making unauthorized and ill-advised exposures. These policies include, at a minimum:
- Acceptable Use
- Content Management
- Security
- Obligation of Confidentiality
- Others: Specific to your organization; its mission, its customers (constituents, partners, service elements, etc.), specific obligations under law, charters, culture, controlling authorities, and so forth…
In coming posts, I’ll be providing some considerations for each of these policies in view of current challenges, modern requirements, and the subsequent security posture of any organization: That is – yours.
By: David Scott is a CIO/Fortune 100 IT professional and author of I.T. Wars: Managing the Business-Technology Weave in the New Millennium which was selected as an MBA text at the University of Wisconsin. David is the sole-proprietor of BTW Consulting: Business writing, policies and plans. His comments have appeared in InfoWeek, Capitol Weekly (CA), and on the DC television show Communicating Today. You can connect with David on LinkedIn or on Twitter by following @davidscott999.