Perimeter
6/12/2012
06:45 PM
50%
50%

Don't Blame Me, I'm Just An Employee

If you're looking for a cure for mishandling of sensitive data, then look no further than your own management team

Five years ago I remember contemplating some future day when the general workforce would come to understand the importance of securing sensitive data, taking a personal interest -- and even making a personal effort -- in support of that goal. Fast-forward to last week. While reviewing the findings of a customer's data risk assessment, I came to a personal realization: The workforce will never learn.

Not surprisingly, the results of this risk assessment were similar to the dozens before it. Despite the fact that the findings supported the need for my company's products and services, I found myself strangely deflated and disappointed. But there was also another feeling welling up inside me that I couldn't immediately identify. It was something unusual for the situation, a deeper, rawer emotion. Anger. I was officially mad.

I'd been through this process more than 100 times and had never been angry. Yet here I was sitting in front of my customer, seething inside. I couldn't let the anger show, of course, so I shouted in my mind, "Have end users learned nothing in the past five years?" We found incidents of users still sending spreadsheets with personally identifiable information, such as names and Social Security, credit card, and account numbers, to personal email accounts. Customer service reps were still replying to customer email messages in cleartext, leaving credit card numbers, expiration dates, and card security codes in place. Network and workstation drives were still chock-full of interesting and scary sensitive data saved by unwitting end users. And FTP jobs thought to be secure were still transmitting sensitive data in the clear.

As we reviewed the individual incidents and saw the usernames ascribed to each occurrence of data misuse -- billyjones, sallylu, etc. -- my anger toward the end users began to wane. Knowing this particular customer as I do, and the general lack of executive management support for data protection, suddenly it was management I found in my crosshair. A torrent of memories of working with this customer came flooding to my mind. New roadblocks seemed to appear anytime we identified an area of needed improvement. Always willing to talk a good talk, but seldom willing to put their money where their mouths were, my anger and frustration shifted entirely to the management team.

Don't get me wrong; end users must still do their part. In fact, there's a growing awareness for data security among the workforce that will certainly continue to improve. However, as much as we may wish, data security is simply not the mindset of the average end user. The breach news, if they even hear it, doesn't mean anything to them. Whether we like it or not, their focus is on completing their primary job duties, right where it should be. The ultimate responsibility for data security still rests with management.

Management must accept that responsibility and force a shift in corporate consciousness toward data security. This shift begins with attention at the executive level and filters down through the organization by means of those inconvenient data security tasks that are all too often left undone: organized training, internal awareness initiatives, and reinforcement with enforcement technologies. Until management takes action to increase awareness among its workforce, it is difficult to expect a higher level of end user care for sensitive data.

Jared Thorkelson is founder and president of DLP Experts, a vendor-agnostic VAR and consulting practice focused exclusively on data protection. He can be reached at jthork@dlpexperts.com. Jared is president of DLP Experts, a value-added reseller dedicated exclusively to data loss prevention (DLP) and other data protection technologies and services. For over twenty years Jared has held executive level positions with technology firms, with the last six years ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
senthilkumar@techweb.com
50%
50%
senthilkumar@techweb.com,
User Rank: Apprentice
8/16/2012 | 12:47:48 PM
re: Don't Blame Me, I'm Just An Employee
Excellent Article
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.