Data Security - Whose Responsibility is it?
Author:  Jason Kallevig
Date:  August 2008

We live in a digital world.  Everyone is aware of identity theft, viruses & spyware.  Every day we partake in hundreds of transactions that involve information sharing.  Who is really responsible for this information?  We all assume someone has carefully planned each process, but is this the case?

Businesses come in many shapes and sizes.  Companies can be public, private, large or small, and each has many types of data to be concerned with.  We must consider customer data, company data, employee data, industry data, etc.  Data can range from general knowledge to highly sensitive.  We piece these components together into an event that can be considered a transaction. 

For example, an employee of a small manufacturing company has an unexcused absence from work due to a medical issue and is written up.  Our formula becomes X = Small Business + Employee Data + Highly Sensitive.  Being as diligent as possible, the manager includes details of the medical issue in the documentation and it is filed with the employee's records on the file server.  Who is responsible for the security of this information?  Is the manufacturing company bound to privacy standards such as HIPPA?  Who can really access this information? 

If asked, the owner of the manufacturing company would likely respond that the employee section of the file server is carefully secured, and only authorized users have access to the information.  However, data is constantly flowing, and let's assume that after 2 years we need to do some ‘IT housecleaning' and free up some space.  Data is moved to an archive, possibly burned to DVD, or sent to offsite storage.  Who has access to the information now, and whose responsibility is it?  Although rarely admitted, it is a fact that a very real portion of IT data protection assumes that data becomes irrelevant, gets lost in the clutter, and is secure by its perceived lack of value.  But the information does remain intact, in perfect quality, waiting to be discovered by anyone that can find value in it. 

As overwhelming as technology can be, responsible business owners need maintain roots with common sense and old fashioned smarts.  Technology usage, whether securing data, browsing the web, or managing email needs 3 key components.  Have preventative measures in place, enforce wise and informed usage habits, and have a strategy in place to handle incidents.  According to Osterman Research, Inc., spam now accounts for more than 85% of all email traffic.  93% of organizations have had a virus, worm, or Trojan Horse successfully infiltrate their network through email.

Let's use medieval terms to develop a low-tech, common sense approach to protecting our email system.

Step 1 - Prevention 
Dig a moat and guard it.  We don't want to deal with attackers inside the castle, or even at the castle walls.  Let's implement a perimeter defense that keeps attackers well outside of our vulnerable vaults and innocent citizens.  Then build in adequate defenses to monitor and make sure that over-achieving ‘special-ops' get picked off on a case by case basis.

Step 2 - Educate and Enforce Wise Usage
Make sure our users know that extravagant gifts such as large horse statues really are too good to be true.  Does filling out a survey really justify a new IPod?  Remember our citizens are innocent, and shouldn't have to live in fear of the cruel world outside.  We need to offer assurance they are adequately protected, but awareness that midnight excursions through the forest will likely have unpleasant results.

Step 3 - Incident Preparedness
This is where it gets ugly.  Our previous efforts strive to keep the armor polished and pristine, and the weaponry on the shelf.  The cold hard truth is that we do need troops in place to battle the unthinkable.  They need to be well trained, and know the environment well in order to have every advantage in case of an invasion.  Their allegiance is to the business, the user, and themselves - in that order.

Royal robes away, and back in your role as a responsible businessperson.  We have developed a strategy for email usage.  Now is the time to get your IT staff involved and implement.  After implementation - verify.  Don't accept jargon as an explanation.  Force your IT staff to explain the process in equally simplistic terms to break the chain of assumption.  You assume because IT told you.  IT assumes because their vendors told them.  The vendors assume because their sales training and marketing literature told them.  You can see where this is heading.

The complexity of our technical world is so overwhelming it can be easiest to simply turn off our common sense instincts and 'let the experts deal with it'.  This is simply not a responsible approach.  Take the example of Police Radar and Radar Detectors.  Both made by the same manufacturers, a natural cycle of constantly outdated products was created.  The common sense answer was simply to 'Don't Speed', and the smart man removed himself from the cycle.  Measure productivity benefits with risk when moving into new technology, and always ask yourself, "Is this wise?" 

-Jason Kallevig
August 2008