Is it just me, or does it seem like the most basic security policies appear to be breaking down in enterprises everywhere?
A few weeks ago one of our very own employees picked up a briefcase that an HSBC employee left on a Sydney train and found inside the banking details, names and home addresses, as well as other personal financial information of over 100 HSBC Australia customers.
Similarly, a recent audit found that the US Internal Revenue Service had over 400 laptops lost or stolen in the past three years. As a former Yank who's familiar with the harsh rectitude of the IRS, I find this particularly disconcerting. My gut feeling is that if an agency like the IRS, which wrote the book on how to conduct painful audits, can't get its security policies right, who can?
A friend of mine in Sydney told me another security related story just the other day. A sales executive in his company accepted a job with a competitor. Company policy mandated that she clear out her desk, pack up her belongings and be given "the march" out the office.
The saleswoman dutifully complied, but before leaving, she walked up to one of the IT guys and asked: If I delete an e-mail from my outbox, does that mean it's deleted forever?
Immediately suspicious, the IT worker checked the archive on the server and, sure enough, the woman had e-mailed a copy of the company's entire customer list to her Hotmail address. As my friend pointed out, "If she hadn't asked that question about deleting e-mails, or had she simply used her Web e-mail instead, the company might never have known."
With so many company secrets left unsecured on the network, it's no wonder that a recent Privacy Rights Clearinghouse survey found that about one-third of costly or embarrassing leaks to companies were identified as internal, due either to malicious or negligent insiders or to faulty controls and oversight.
A similar survey by the Enterprise Strategy Group found that about 80 percent of companies identified the biggest threat to their data as internal. Even more worrying is that while close to 60 percent of those surveyed felt that valuable intellectual property is likely to leak out of their company via traffic such as e-mail or the Web, about 25 percent confessed that they still do not inspect such traffic.
The dangers of bad publicity, damage to the brand and legal consequences are very real indeed. And as the story, Enemy Inside the Firewall, points out, the best way to mitigate business risks from badly behaved workers is still to pre-empt them by managing your company's valuable data effectively. No more excuses.