Perimeter
6/12/2012
06:45 PM
50%
50%

Don't Blame Me, I'm Just An Employee

If you're looking for a cure for mishandling of sensitive data, then look no further than your own management team

Five years ago I remember contemplating some future day when the general workforce would come to understand the importance of securing sensitive data, taking a personal interest -- and even making a personal effort -- in support of that goal. Fast-forward to last week. While reviewing the findings of a customer's data risk assessment, I came to a personal realization: The workforce will never learn.

Not surprisingly, the results of this risk assessment were similar to the dozens before it. Despite the fact that the findings supported the need for my company's products and services, I found myself strangely deflated and disappointed. But there was also another feeling welling up inside me that I couldn't immediately identify. It was something unusual for the situation, a deeper, rawer emotion. Anger. I was officially mad.

I'd been through this process more than 100 times and had never been angry. Yet here I was sitting in front of my customer, seething inside. I couldn't let the anger show, of course, so I shouted in my mind, "Have end users learned nothing in the past five years?" We found incidents of users still sending spreadsheets with personally identifiable information, such as names and Social Security, credit card, and account numbers, to personal email accounts. Customer service reps were still replying to customer email messages in cleartext, leaving credit card numbers, expiration dates, and card security codes in place. Network and workstation drives were still chock-full of interesting and scary sensitive data saved by unwitting end users. And FTP jobs thought to be secure were still transmitting sensitive data in the clear.

As we reviewed the individual incidents and saw the usernames ascribed to each occurrence of data misuse -- billyjones, sallylu, etc. -- my anger toward the end users began to wane. Knowing this particular customer as I do, and the general lack of executive management support for data protection, suddenly it was management I found in my crosshair. A torrent of memories of working with this customer came flooding to my mind. New roadblocks seemed to appear anytime we identified an area of needed improvement. Always willing to talk a good talk, but seldom willing to put their money where their mouths were, my anger and frustration shifted entirely to the management team.

Don't get me wrong; end users must still do their part. In fact, there's a growing awareness for data security among the workforce that will certainly continue to improve. However, as much as we may wish, data security is simply not the mindset of the average end user. The breach news, if they even hear it, doesn't mean anything to them. Whether we like it or not, their focus is on completing their primary job duties, right where it should be. The ultimate responsibility for data security still rests with management.

Management must accept that responsibility and force a shift in corporate consciousness toward data security. This shift begins with attention at the executive level and filters down through the organization by means of those inconvenient data security tasks that are all too often left undone: organized training, internal awareness initiatives, and reinforcement with enforcement technologies. Until management takes action to increase awareness among its workforce, it is difficult to expect a higher level of end user care for sensitive data.

Jared Thorkelson is founder and president of DLP Experts, a vendor-agnostic VAR and consulting practice focused exclusively on data protection. He can be reached at jthork@dlpexperts.com. Jared is president of DLP Experts, a value-added reseller dedicated exclusively to data loss prevention (DLP) and other data protection technologies and services. For over twenty years Jared has held executive level positions with technology firms, with the last six years ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
senthilkumar@techweb.com
50%
50%
senthilkumar@techweb.com,
User Rank: Apprentice
8/16/2012 | 12:47:48 PM
re: Don't Blame Me, I'm Just An Employee
Excellent Article
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.