[Dataloss] Plug the holes in your cone of silence

security curmudgeon jericho at attrition.org
Wed May 30 05:29:35 UTC 2007


Courtesy ISN:

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html

By Cynthia Karena
May 29, 2007

DATA loss is a significant factor in modern business, dependent as it is 
now on electronic systems. And it occurs in many ways, some inadvertent, 
some through stupidity and some criminal.

One organisation accidentally puts its sensitive market research report 
online before it has been approved; another can't find data that has been 
requested by a government department. Others lose laptops, unwittingly 
send confidential information in emails, or give contractors too much 
access to internal data.

This is lost data and its impact on a business can range from financial 
loss, to damage to its reputation, potential loss of customers, or even 
imprisonment if there is a breach of corporate governance.

[..]

And then there is the human factor. "Data loss occurs primarily because of 
people," says Mr Baar. "Most information loss is through inappropriate 
behaviour - someone talking about it in the pub or a lift, for instance. 
People could go to a cafe with, say, patient records and leave them 
behind."

[..]

"Everybody always underestimates the likelihood of data theft. It is 
usually unreported, which (distorts data on occurrences) but given the 
choice of attempting to hack an organisation from the outside or getting 
inside to its soft centre, you would always take the easiest option. 
External hacking is uncommon now, because it is too difficult. It's easier 
to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they 
leave the company? Mr Lancaster says data needs to be locked down. 
Departments should be able to retrieve only their own documents. Finally, 
says Mr Walls, organisations should not reveal their security controls to 
their own personnel.


More information about the Dataloss mailing list