The publication of thousands of confidential US embassy cables by the website Wikileaks has dominated news headlines for the past couple of weeks. You might think this must have been a case of hi-tech computer hacking, but the likely source of the leak should give us all cause for concern: a disgruntled user with authorized access who intentionally downloaded the material.
Clearly most of us are working with information which is a lot less sensitive, and which typically relates to customers, their interests and purchases. All the same, it would be embarrassing for a company – and harmful to customer relationships – if such information found its way into the wrong hands.
Most organisations take steps to secure the data held about their customers, and yet many initiatives focus heavily on technical issues such as encryption and password-protection, while neglecting the ‘human’ risks posed by authorized users, not least because those risks are more difficult to address.
All employees within a company’s offices are often considered ‘trusted users’ for a range of applications dealing with customer services, sales and accounts. Any one employee could quite easily plug a memory stick into their computer, copy some sensitive information, and from there pass it on to a competitor, or place it in the public domain.
This is often a bigger risk for larger companies: because there are simply more staff using their systems, and because the data held by a large organisation may be more attractive to external parties. (Indeed, both of these factors clearly applied to the US embassy cables, where the sheer number of staff with an appropriate level of security clearance has been cited as a major security headache.)
There is unfortunately no ‘quick fix’, but a combination of steps can reduce the risk: recruit staff carefully, ensure they are properly trained, only grant access to systems as necessary, block the use of memory sticks, put system ‘audit trails’ in place, and ensure that logins are removed promptly when employees leave the organisation.
Noting the scale of the risk, it is in fact really heartening that the vast majority of staff are loyal and honest, but of course it only takes one incident to do the damage. So, if there’s one thing we can all learn from ‘cablegate’, it’s that encryption and passwords are not the complete answer, and we should all consider taking the personnel side of data security a lot more seriously.