Preventing Data Loss "Accidents"
Encryption is like a door lock, it's only useful when it is engaged. A story about a data loss incident at State Street brings this message home.
SearchFinancialSecurity reports that a contractor lost a disk with information about 5,500 employees and 40,000 customer accounts. The data had been encrypted but was decrypted to analyze it. It was not encrypted again after the analysis.
"The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security and it's potentially worse than not using encryption at all," [Scott] Crawford [an analyst with Enterprise Management Associates] said. "Even when experts are involved, the processes can be a killer."
Encrypting is like wearing a seat belt. You don't expect to need it every time you use it but you get into the habit of using it every time just in case. Maybe we need YouTube videos with something analogous to crash test dummies flying through a windshield. It's hard to get the graphic impact with data loss prevention than you can with other industrial accidents. The Canadian Workplace Safety and Insurance Board has come up with some graphic videos (as in horror movie graphic) for its worker safety campaign, The ads are designed to shock us into understanding there are no "accidents", our actions and inactions are the problem. We could use something like that to get the message out about IT security.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
