Tuesday, May 12, 2009

A Culture of Security

I read a lot of technical papers and discussions on methodology of data security, and the philosophy of a security minded culture. A lot of very intelligent people are diligently looking for better and more efficient ways to move data around an enterprise and still maintain a modicum of security. Data is after all the engine that runs modern business. Whether it is described as proprietary information (IP), or developmental operating infrastructure, or a software product, our service-based society is run on data. This intellectual property stuff if compromised, can mean ruining a companies’ ability to maintain a competitive position.

There is even an industry whose whole purpose is to aggregate, sort, re-sort, and sell data. See axciom , choicepoint. or MIB for good examples of that sort of company. These “specialty database” companies have the additional burden of compiling the personally identifiable information of people who are not their clients but instead comprise the very commodity that the business trades in, data.

In my previous career in engineering we were always developing techniques, specialized machines, or circuit designs that would help not only to propel our industry but also to attract customers to our business in particular. Innovation is essential to any industry. Maintaining the security or even secrecy of those innovations is paramount. In order to do that everyone involved must be clear on the concept. Unfortunately when I talk to people in the IT or IS fields protecting trade secrets is usually the kind of data protection that comes to mind. Now and again I meet IT pros, especially in accounting, financial advisory or mortgage firms, who are aware of the importance of protecting the clients personal files. Technical managers are by in large vaguely aware that personnel information is also at stake but that concept is usually rather abstract to them. They are more focused on the throughput of data, encryption algorithms, and the models that contain sufficient justified loops that will safeguard company data files from inadvertent loss or hacked from outside source, while being highly efficient and serving the enterprise more effectively. When I illustrate a case of an unhappy employee that has walked out of the building with the HR employee records on a flash drive to sell it at the local flea market, eyes will glaze over. That doesn’t compute in a technically focused infrastructure. Short of freezing everyone out of the records access there is no working model that will prevent that from occurring. And that is the point. Information that has value, to anyone, can and will be stolen and misused for personal gain. The solutions cannot be simply technical, but instead have to include employee training and awareness. That is why the recommendations within every federal identity theft prevention law include employee training.

It is also critical that companies understand that just as a loss of intellectual property can cripple a company so can the loss of personal information. In fact the loss of personal information has far reaching consequences that extend beyond the incident, and into the realm of public perception. When a company loses the confidence of the general public whether deserved or not, it becomes harder to maintain customers, attract new ones, operating capital is harder to get, and so forth. People believe that when a business is entrusted with their personal information that the company has a moral responsibility as well as a legal one to make every effort to protect it from thieves or accidental leaks.

Its just as important to trust certain employees as it is to have technical safeguards in place. Any culture of security has to have a balance of common sense, technical procedures, and individual education and training. Treat your employees with respect by educating them on the realities of what identity theft can do to a person. With an average of 10 million U.S. victims annually there is no shortage of real life stories of individual ruin from identity theft. If a business can manage to do that kind of training alone then the employees gain a knowledge to not only protect themselves and their families but also an insight and incentive to safeguard the personal information they handle on a daily basis at work. A business must sensibly bring the employees into the solution for data loss by training and education. An informed and empowered employee can very well be the best asset a company can have in stemming the tide of data losses of any kind within the enterprise. I’m sure your employees know what to do in the event of fire, but do they know what to do if they discover that information has been stolen or compromised? That critical path alone can make the difference in whether an attacker gets away with valuable information from your company or not. Don’t rely on the TV ads promising to “stop identity theft before it happens”, or other wild claims to train your staff. Thats kind of like relying on the teenagers in the neighborhood to teach the children about love and relationships, hardly what you want them to learn. Those ads are misleading and have little to do with the realities of identity theft in the every day world.

No comments: