Beating the human virus

Social networks and the increased use of mobile and wireless technologies are driving us to share greater amounts of data with our friends, colleagues and business associates. As technology makes the task easier, sensitive and confidential information is often shared in inappropriate ways that expose companies to considerable risks.

Some of the hot-topic technologies of the year such as disk encryption and data leak prevention are being pushed by a growing number of IT networking and security vendors as the cure-alls you've been seeking to reduce your risks.

Sharing responsibility
However, the most important thing to consider in any project for confidential data security is the human assets involved. After all, it is people not machines who are the primary cause of information ending up where it shouldn't be. From the CEO of a bank leaving his laptop in an airport lounge, memory sticks lost in the back of a taxi, CDs missing in the post and the wrong CC to an email, it is accidents, bad judgement, employees following a broken business process or an absence of process that are at the root of most problems.

In IT security circles people often talk of a magic door at the entrance to the office. As employees walk through it, they gain entry to a land where everything is considered safe and everything is considered acceptable. Copying data to a flash drive or burning a CD like you would at home is seen as OK since it's been done ‘inside' and the user doesn't consider what happens once the drive or disc goes in their pocket and they walk out the door to go home. Often a familiar supplier phones and asks for customer information so a spreadsheet is mailed. Was the information password protected or encrypted? What if the employee or supplier misplaces the information later? And what is the motivation of the person who finds it?

Understanding the problem

Many companies get stuck on the start line of projects to approach this subject. Only 30 per cent of customers know where data loss problems are, with the other 70 per cent knowing there's a problem but not where to look. Tight budget conditions and multiple overlapping technologies cause staff to endlessly deliberate what is most important and lengthy classification exercises are often flagged as an essential pre-requisite.

Educating users
In trying to achieve the perfect project companies miss the point that their risk of data loss will never be eliminated, only better understood and over time hopefully reduced, and that taking action and starting the project in even a small way helps to reduce the company's risk exposure, which has to be a good thing.

The good news is that the solution giving the greatest reduction in exposure to data loss risk costs little. Only when you understand more about how your employees do their jobs will you discover the errant business processes and behaviours you need to change to reduce your risks. IT teams are sometimes stand-offish, but they can also be very smart and a number of studies have shown that the majority of users who are politely told they are doing the wrong thing and shown how to do the right thing amend their ways.

Of course some users will need some extra work, but all projects run in multiple phases and the key thing here is to make a start and address the majority who will make the greatest difference.

Constant interaction
Ask yourselves: When was the last time the IT team ran proactive education for users? Can you get 10-minute slots in department meetings to brief users on how to safely share data with external parties and give them an update on the company acceptable use policy and how this benefits them and the company by protecting customers, employees and intellectual property? Can you follow this up with an internal email or poster campaign that reinforces the message delivered? By engaging users and listening to their feedback you'll gain valuable knowledge that helps you understand the data sharing and risk-of-loss problems the company faces.

So, if projects have been hit by funding restrictions, have a think about what you can achieve by diverting resources to deliver end-user education. In the bigger scheme of things it costs you little, but it can make a huge difference.