The desire for the availability of our data is unquenchable. The technological innovation which this need inspires yields continuous development of ever evolving solutions with the express purpose of ensuring our data accessibility independent of time or place.
As our work habits evolve to effectively take advantage of this wide array of product offerings, our ability to appropriately safeguard our data becomes more and more difficult. Worse, consumers frequently throw caution to the wind in lieu of ease of access.
The trouble is that many, if not all such consumers are also business users and the very controls which we implement to protect corporate data are continuously challenged by user behavior and a tenuous understanding of what is at risk.
On the Go and At Risk
A glance around any coffee house, airport or conference center results, inevitably, in observance of more than a few individuals accessing their data remotely. They busily check corporate email, transfer files and tweet their status without a second thought as to the security of their wireless connection or who may be looking over their shoulder -- each firmly believing that the probability of their being individually targeted for identity theft or cyber-attack is unlikely.
How many devices have been left unguarded in empty seats? How strong is their enforced password/PIN control? How well is your organizational media handling policy really being adhered to?
When laptops first became popular, users claimed that local password controls and operating system security mitigated the risk of data transported beyond the physical confines of their office environments. Nevertheless, according to the Privacy Rights Clearinghouse, year-to-date, over 470,000 records have been breached as a result of lost or stolen laptops.
When Dropbox first came out, users claimed that the invitation only method mitigated the risks posed by its public-facing storage repositories. Then, in August, Dropbox notified thousands of users of breached account credentials and email addresses.
More recently, the use of employee owned smart phones and tablets, commonly referred to as Bring Your Own Device (BYOD), has gained popular attention for its potential of data leakage. In fact, those concerns are well founded. Despite statistics identifying increasing malware threats among other concerns less than a fifth of smart phone users employ anti-virus or other security software to protect themselves.
The Weakest Link
The trouble is that in near every case, the strength of the technical control employed to protect sensitive data is reliant on responsible media handling and the strength of user passwords. Whereas many corporations require best practice media handling in policy and further enforce best practice password controls, unfortunately, many still do not.
Worse, consumers consistently fail to protect physical assets with better than minor regard and their application and system data with better than “password” or “123456” -- each of which were identified as of the top ten most popular passwords in common among those 453,492 credentials published as a result of the July Yahoo breach. Further example is evident in that “link” and “1234” were the number one and number two most popular passwords respectively among those 6,458,020 credentials published as a result of the June LinkedIn breach.
Think about it. To mitigate laptop originating data loss, disk encryption is frequently employed. The strength of the cryptographic protection is based on user password and/or cryptographic passphrase. To mitigate the Dropbox threat, affected user passwords were reset and users were advised to use randomized, strong passwords. To mitigate BYOD threats, employers are frequently requiring the use of security policies which include device encryption and the use of a personal identification number (PIN) to unlock and effectively decrypt the device.
Despite whatever corporate password/PIN standards are being enforced, it needs to be assumed that the general populace will select a password of no greater strength than the bare minimum which is being enforced and, left to their own devices, will choose “123456.”
Certainly security awareness training is a vital tool with which organizations may educate users as to the true nature of risks and organizational policies and procedures. However, if this training is relegated to an annual half day event, its message is very likely weakened by the other 364.5 days of the year in which user experience of logging into personal accounts with weak passwords/PINs and safely returning to their temporarily abandoned systems is met without identifiable repercussion.
To effectively mitigate these risks, organizations must themselves understand the behavior that they are working against and cease justifying access control compromises with usability concerns. If your data is truly valuable enough to require accessibility it should also be worthy of protecting its confidentiality and integrity through due care.
Image courtesy of isak55 (Shutterstock)
Editor's Note: Want more advice on risk management? Check out Peter's other articles: Risk Management: Strong Governance Means Solid Foundation and Successful Risk Management Starts Small