Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/12/2012
06:45 PM
50%
50%

Don't Blame Me, I'm Just An Employee

If you're looking for a cure for mishandling of sensitive data, then look no further than your own management team

Five years ago I remember contemplating some future day when the general workforce would come to understand the importance of securing sensitive data, taking a personal interest -- and even making a personal effort -- in support of that goal. Fast-forward to last week. While reviewing the findings of a customer's data risk assessment, I came to a personal realization: The workforce will never learn.

Not surprisingly, the results of this risk assessment were similar to the dozens before it. Despite the fact that the findings supported the need for my company's products and services, I found myself strangely deflated and disappointed. But there was also another feeling welling up inside me that I couldn't immediately identify. It was something unusual for the situation, a deeper, rawer emotion. Anger. I was officially mad.

I'd been through this process more than 100 times and had never been angry. Yet here I was sitting in front of my customer, seething inside. I couldn't let the anger show, of course, so I shouted in my mind, "Have end users learned nothing in the past five years?" We found incidents of users still sending spreadsheets with personally identifiable information, such as names and Social Security, credit card, and account numbers, to personal email accounts. Customer service reps were still replying to customer email messages in cleartext, leaving credit card numbers, expiration dates, and card security codes in place. Network and workstation drives were still chock-full of interesting and scary sensitive data saved by unwitting end users. And FTP jobs thought to be secure were still transmitting sensitive data in the clear.

As we reviewed the individual incidents and saw the usernames ascribed to each occurrence of data misuse -- billyjones, sallylu, etc. -- my anger toward the end users began to wane. Knowing this particular customer as I do, and the general lack of executive management support for data protection, suddenly it was management I found in my crosshair. A torrent of memories of working with this customer came flooding to my mind. New roadblocks seemed to appear anytime we identified an area of needed improvement. Always willing to talk a good talk, but seldom willing to put their money where their mouths were, my anger and frustration shifted entirely to the management team.

Don't get me wrong; end users must still do their part. In fact, there's a growing awareness for data security among the workforce that will certainly continue to improve. However, as much as we may wish, data security is simply not the mindset of the average end user. The breach news, if they even hear it, doesn't mean anything to them. Whether we like it or not, their focus is on completing their primary job duties, right where it should be. The ultimate responsibility for data security still rests with management.

Management must accept that responsibility and force a shift in corporate consciousness toward data security. This shift begins with attention at the executive level and filters down through the organization by means of those inconvenient data security tasks that are all too often left undone: organized training, internal awareness initiatives, and reinforcement with enforcement technologies. Until management takes action to increase awareness among its workforce, it is difficult to expect a higher level of end user care for sensitive data.

Jared Thorkelson is founder and president of DLP Experts, a vendor-agnostic VAR and consulting practice focused exclusively on data protection. He can be reached at [email protected] Jared is president of DLP Experts, a value-added reseller dedicated exclusively to data loss prevention (DLP) and other data protection technologies and services. For over twenty years Jared has held executive level positions with technology firms, with the last six years ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
senthilkumar@techweb.com
50%
50%
[email protected],
User Rank: Apprentice
8/16/2012 | 12:47:48 PM
re: Don't Blame Me, I'm Just An Employee
Excellent Article
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...