No one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, health care) is its data.
Whether that data includes an investment strategy/portfolio, personal identity, health care history or national security, it must be safeguarded and controlled.
We're all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data?
Data lives in many forms outside of the regular electronic email, internet, PC, server or mainframe types with which we normally work.
Unfortunately, some of our biggest vulnerabilities live in many other forms.
Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger's laptop (with the curious snooper watching over) are other forms of sensitive data.
The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page.
Let us take a look at an unfortunate use-case to bring this all into context.
Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors.
His area of focus was his firm's strategy on the proprietary development of database software that would revolutionize the storage and sharing of information with clients.
Henry's developments were ahead of all others in the enterprise, and possibly the industry. What wasn't being thought about was how valuable the information being prepared could be to competitors or thieves for profit.
It was late Sunday night, and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening, he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive.
At one point Henry's copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn't panicking – he knew there was plenty of time and his current set of copies were safe.
After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn't aware of was the five copies he'd left at the malfunctioning printer.
Though a good multitasker, Henry was exhausted, yet practically livid with the thought of the next day's presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.
He got home with all the paperwork in his backpack and passed out.
The next day at the presentation, all went well, the crowd loved it and Henry was on top of the world. There had been a slight mishap though, since there weren't enough hard copies to go around for everyone at the meet.
That was weird – he was sure he'd made enough. Everything had gone well, except for those five mysteriously missing copies of the presentation.
What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper. The headline read: “Leading Financial Firm's Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he'd hoped for.
Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized, the fall-out including Henry's suspension and investigation, a full 10-point drop in his firm's stock price and a long-term negative reputational impact for his firm.
Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise.
Proper due diligence and controls is necessary for the entire lifecycle of the data, be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.
Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.
Andres Tabares, CISSP/CISM, is an information security professional at a major financial services firm in New York, where he focuses on external data protection.