There was yet another security breach inside the government this week and this one involved an employee sending personal information via the Internet.
What in the world does that mean?
Open letter to the White House CIO: please better define what you mean by Internet. As I said in earlier blog posts, whenever you pull people into the middle of information technology it is unreasonable to expect that they will self-enforce 100% of the policies 100% of the time. We won’t lock our laptops all the time. We won’t choose passwords that are totally random with a combination of numbers and punctuation (my WEP password for my wireless router is based on the key 3210abcdef!) No matter how many encryption products you put on our desktop we will forget to use them and we won’t check for SSL encryption and check the certificate on every website that we go to.
So what is company to do? They must make the assumption that people will shy away from following policy when following that policy the policy stymies their productivity. (And from what I’ve seen many corporate policies do stymie productivity) Companies need to deploy technologies that allow them to transparently manage and enforce security and usage policies.
Okay ladies and gentlemen, here is the one crisp and pithy statement from your dear blogger:
“The protection of data should be a consistent concern and process throughout all areas of the company; whether it’s an administrative assistant writing a credit card number on a Post-it or it’s your SAP module sending information to an EDI translator and out to a business partner.”
Okay that wasn’t so pithy but here is another one: “Information security policies must be clear and straightforward and assuming that you can cover everything by using blanket terms like “personal information should not be sent over the Internet unencrypted” actually increases the risk that you will end up on the front page of Google News, because someone in your organization surely has a different interpretation of what it means to send information over the Internet.”