Many organizations are trying to define who is responsible for information security. Many have hired a Chief Privacy Officer (CPO) or a Chief Information Security Officer (CISO) and tasked that person (or both) with the job. In most organizations, IT still has a lot of the responsibility for information security, so that points to the CIO. After all, most people view security as related to technology, so IT gets the job.
The reality is that everyone needs to make sure that the data they use remains secure. If you deal with sensitive information on a daily basis, make sure you know how to keep it away from prying eyes. Don’t just think about electronic information. Think about paper documents too. Security is not just about technology, but about how we act too.
I recently heard a pertinent story from someone who visited a law firm. She was meeting with some attorneys and following the meeting needed to visit the restroom. The restrooms are outside the office in the hallway. As she exited the office, she noticed a printer sitting in the hallway spitting out documents. You need a key card to get into the law firm’s offices, but this printer was in a public place. Talk about lack of information security. Anyone could come by and grab documents off the printer.
On Monday, the BBC News broke a story about a UK law firm that accidentally leaked a Microsoft Excel spreadsheet with the full names and addresses of over 5,300 people thought by the law firm to be illegally sharing adult films. The law firm claims the spreadsheet and 1000 confidential emails were stolen by a criminal attack on their website. The spreadsheet was uploaded onto the Pirate Bay site and now anyone can access it. Because of this, the British government is investigating whether this was a violation of the UK Data Protection Act (DPA). If so, this is very serious.
Both of these are examples of people who need to be aware of the sensitivity of information and take proper precautions to protect it. A lot of that starts with understanding if something is confidential or not. Some people think that everything inside a business is confidential. It’s not. Personal information (names, addresses, telephone numbers) is. Emails about meetings and having lunch are not.
Leaving a printer in the hallway where anyone can access confidential printouts is not a technology issue. The people printing need to realize the situation and move the printer inside their locked office. The leaked spreadsheet may be partly a technology issue (it wasn’t encrypted or locked), but choosing to send that information around the office in email is not. When you deal with confidential information you need to think about where it’s going and who can access it. Even if that spreadsheet were encrypted, an authorized person could have printed it and left it on a printer in a public place.
Everyone is responsible for the security of information they handle. If you need to send something sensitive in email, make sure you use an Enterprise Digital Rights Management system to lock it down. That way, you can control who accesses it and what they can do with it. In today’s world, you can’t get by saying “It’s not my job.”
Photo credit jardenburg