When the subject of corporate data security comes up in any board meeting, chances are, the topics will straight away dive into complicated things such as firewalls and IDP systems. And when this happens, it’s obvious that the meeting participants are:
- Not familiar with data security in the real world
- Wants a quick fix at a reasonable investment rate in monetary terms
- Prefers a certain department or an external third party to bear (almost sole)responsibility in this area
This approach is fundamentaly flawed, and it’s amazing to see so many corporate bodies adopt such simplistic approach to a very critical operational area.
More often than not, I noticed that decision makers often fail to address the real weakest link in any system: people. Yes, most people fail to see the value of data confidentiality. This is especially prevalent in clerical staff and junior executives. They tend to feel that they have no access to important information. Furthermore, they feel that what they do know is already public information.
In my years of experience in the IT line, it never fails to suprise me how people willingly disclose their passwords without verifying the identity of the party inquiring it. Sometimes I don’t even need to ask. Here’s a scenario that has happened way too often:
Me: Hi, I’m here to assist you with your Wizbang Application problem.
SU: Good. My username is <username> and password is <password>. Please look into it.
Even Microsoft uses a low-tech implementation for its enterprise-wide security awareness programme, via a simple card detailing information such as:
- Where to access security policies
- Whom to contact when an incident occurs and measures that can be taken
Low-tech, yes. Creates awareness, undoubtedly. Simple yet effective.
The thing is, data security awareness needn’t necessarily be complicated. In fact, the simpler it is, the more likely it is to be understood among all staff levels. To me, the problem is more of resistance. People expect something so important to be complex. This is the very nature of human beings, accustomed to years of social conditioning in which bureaucracy is seen as guardians of important procedures. Overcoming this mindset itself can be daunting. However, once this hurdle is overcame, the rewards are plenty.
An interesting post on Darknet.co.uk discusses the need to include social engineering as part of penetration testing. I find myself agreeing to the logic behind this idea. You can have the most advanced data security hardware and software money can buy. However, all this will be useless without educating users of the importance of data confidentiality.
I feel that at its very basic level, a data security policy should, at the very least, address the following issues:
- Identity verification
- Password lifecycle
- Disclosure policies
- Remedial actions and solutions
- Ownership, authority, and responsibility
- Convenience vs. Necessary Restrictions
I will not even pretend that this is an exhaustive list. However, I can safely say that it probably is the very bare minimum requirement of things to be considered in order to develop a competent security policy. Since I came with the list, let me just name it the IPDROC guidefor ease of reference.
You’re probably thinking, “If the IPDROC guide is so good, why does it need a Remedial actions and solutions section?”. Well, my answer is, I’ve yet to see a good all encompassing solution when it comes to data security.
Saying that a proposed solution is perfect is at the very least, stupid and at most arrogant. There’s nothing wrong with making a stupid mistake. Nobody becomes smart by not making any stupid mistakes. However, those who are arrogant and refuse to acknowledge flaws in their creations are in my books, worse than stupid.
It is vital to have a remedial policy in place for unexpected situations. By skipping this portion, you’re taking a step towards havoc should something not go according to plan.
I thank you for reading this writeup to its completion. My intention on writing this is not to educate anyone. I probably am not worthy for such a thing. However, I do wish to share my thoughts about this issue and the observations I’ve made. Comments are most welcomed and highly appreciated.