The rapid growth of cloud storage and workplace use of personal devices – "bring your own device," or BYOD – raises new concerns about confidential data being taken out of the workplace. People no longer need to stuff sensitive documents into briefcases, or even load it onto portable flash drives. They need only access the workplace cloud, from home or elsewhere.
But as a recent study commissioned by cloud provider FileTrek suggests, at the heart of this security challenge is not technology, but the ambiguity and outright contradictions of employees' attitudes.
And the contradictions are glaring. Fully 79 percent of employees surveyed in the study said that removing confidential data from the workplace should be a firing offense. (Only incompetence and sexual harrassment rate higher.) Yet these same workers overwhelmingly agree (90 percent) that it happens all the time.
Moreover, in many specific cases they think it is okay to take sensitive data out of the workplace. Nearly half, 48 percent, say it is acceptable "when [the] boss says it's okay to do so." Nearly a third say it is acceptable to remove data in order to finish up work at home, or on vacation.
Really, all of these contradictory results can be boiled down to one: If someone else takes sensitive data home it is a threat to the company and everyone's livelihood, including ours. But when we take data home, it is for a good reason, or at least harmless.
This is human nature. It is also a security challenge. Even conscientious employees make a mental policy exception for themselves. But appropriate technical measures for data protection, implemented within a consistent policy, can protect data against employees' mental asterisks and lapses. Technologies such as Dynamic Data Masking can protect data against casual or inappropriate access.
Don't depend on unreliable human nature to keep your firm in compliance. Make sure that effective security protections are in place.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."