[Dataloss] Plug the holes in your cone of silence
security curmudgeon
jericho at attrition.org
Wed May 30 05:29:35 UTC 2007
Courtesy ISN:
---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html
By Cynthia Karena
May 29, 2007
DATA loss is a significant factor in modern business, dependent as it is
now on electronic systems. And it occurs in many ways, some inadvertent,
some through stupidity and some criminal.
One organisation accidentally puts its sensitive market research report
online before it has been approved; another can't find data that has been
requested by a government department. Others lose laptops, unwittingly
send confidential information in emails, or give contractors too much
access to internal data.
This is lost data and its impact on a business can range from financial
loss, to damage to its reputation, potential loss of customers, or even
imprisonment if there is a breach of corporate governance.
[..]
And then there is the human factor. "Data loss occurs primarily because of
people," says Mr Baar. "Most information loss is through inappropriate
behaviour - someone talking about it in the pub or a lift, for instance.
People could go to a cafe with, say, patient records and leave them
behind."
[..]
"Everybody always underestimates the likelihood of data theft. It is
usually unreported, which (distorts data on occurrences) but given the
choice of attempting to hack an organisation from the outside or getting
inside to its soft centre, you would always take the easiest option.
External hacking is uncommon now, because it is too difficult. It's easier
to find an insider through money or threats," Mr Baar says.
What about disgruntled employees taking information with them when they
leave the company? Mr Lancaster says data needs to be locked down.
Departments should be able to retrieve only their own documents. Finally,
says Mr Walls, organisations should not reveal their security controls to
their own personnel.
More information about the Dataloss
mailing list