Oct 08 22
Opening the floodgates on missing drives
Posted by Angus Kidman @ 15:03 2 comments
News headlines about portable storage devices going missing are as common as muck, but the problem could be even more widespread than you suspect.
(Credit: Memory stick 3
by Ramasamy Chidambaram, Royalty free)
The data loss scandal du jour is the disappearance of a hard drive containing details of 1.7 million people who had enquired about joining the UK military.
The story ticks all the boxes: the data was unencrypted, it included sensitive information such as passport numbers, and it only became clear it went missing some time after the fact.
As ever, it seems that human error rather than technology failure is to blame. This isn't unusual; people have been misplacing documents in offices since the dawn of enterprise time, and it's only the sheer scale of information that can be crammed into a hard drive or USB key that makes the whole process so utterly scary.
A recent survey by RSA casts an interesting light on the problem. The company asked 417 attendees at three recent conferences a series of questions about security policy. When asked "Have you ever lost a laptop, smartphone and/or USB flash drive with corporate information on it?", 1 per cent said they had done so frequently, and 9 per cent said it had happened to them "sometimes".
That indicates there are at least four complete klutzes out there who are continually misplacing portable storage, and who we can only hope don't work in data security. But the more disturbing aspect is the fact that, in effect, 10 per cent of information is likely to be misplaced.
Companies routinely take out insurance to deal with relatively unlikely risks. I suspect if I told my insurer that my house had a 10 per cent chance of being flooded, they'd either laugh me out the door or demand that I take some precautions to minimise the damage.
The same logic should apply to portable devices and the information stored on them. Can you hear the pigs flying overhead?
All true... but I worry about too great a use of data encryption as well. How many people have had password-protected material that they could no longer access (from whole servers to word processing documents saved with a password).
Data encryption should be simpler for someone taking a sensitive file out of the premises on a USB drive, yet best to have the backups within a secure premises never encoded... as it is the encoding that is more likely to trip you up.
And as to the USB drive material, it is hard to insist on encryption or other standards when any proper analysis would probably suggest that there is no justification for taking such complete databases out of the secure premises or its secure off-site backup site.