70
DATA AND RECORDS MANAGEMENT
“It’s the mistakes,
and not the malice,
which can carry the
greatest risks to data.”
The problem is that these products are looking to
block items which can actually be the majority. It’s
like having a bouncer on the door, giving them
a list of all the names of people in Australia and
having the bouncer check every name against the
entire list when someone wants to come in.
My argument is that we should be looking to
use white lists more often in IT security. In most
organisations you don’t need to install new
applications often. So why not use a white list to
mandate what can be done, instead a black list to
do the opposite?
IQ: Not long ago IQ Magazine ran an article
about the data security risks inherent in people
using portable electronic devices (PEDs) away
from their offices. How big a problem is this?
JT: This is a sensationally large issue that not too
many people are talking about. The challenge is
for IT departments to work with their organisation
to work out what PEDs the employees should be
permitted to use in the network.
I was just chatting with a friend yesterday about
this. It was his last day on the job and he’d taken
in a removable hard drive to harvest his data
from his work computer and server. My friend’s
company didn’t have a policy around this area.
Now I’d trust this guy with my life, but how many
times is this happening in companies every day
around the country?
IQ: Are there a few major rules of thumb that PED
users should apply, and questions organisations
should ask, to limit the dangers of losing or
revealing confidential data via these tools?
JT: There is technology which could prevent this,
but there are more important issues. Does your
company have a policy about this, for instance?
Do your employees know what data they can
carry about on their smartphone? Do your
employees understand how serious it could be if
they mislaid, or misappropriated, company data?
I was recently told that Australia is the largest
market per capita of removable hard drives. This
is a serious issue!
IQ: We keep hearing horror stories about financial
institutions and government agencies around
the world losing huge amounts of confidential
customer data. Is there a data security device that
you would love to see invented that eliminated
the risk of this happening?
Govlink Issue 2 2013
JT: Well, this is getting into Mission Impossible
territory, but a network device which could scan
for stolen data and then zero in on the location
of the data and the criminals using it would
be sensational! I get the impression that some
of the law enforcement and defence agencies
may already have this capability. I don’t think
we can completely stop the data breaches from
happening, but if we could shift the risk equation
so that the consequences of a criminal using
this data were so severe and so inevitable that
it became just too risky for a criminal to even
bother. That would be great.
IQ: People continue to respond to email scams
such as fake lottery wins and the famous Nigerian
plea for help securing millions of dollars, providing
their bank account details and losing their savings.
Is there a ‘black list’ we should all have on our
computers to prevent us being scammed?
JT: When people are trained to prevent social
engineering – which is what these scams are –
we are taught a few basic principles. If it seems
too good to be true, it is. If you feel uneasy
about something, respect your instincts. Always,
always, always ask to call the person back; get
their name and number, then check out the
number for the organisation on the white pages.
When an organisation calls you, you should not
have to authenticate yourself to them, so giving
passwords and dates of birth to someone who
has called you is silly.
IQ: IQ Magazine ran a story several years ago
about a major New York bank which lost most of
its data on 9/11 because of poor backup, while
another saved all its data with an emergency
backup procedure that electronically transferred it
to New Jersey within seconds of the 9/11 attack.
What is the biggest mistake organisations make
today when it comes to taking steps to secure
their data? Inadequate backup? Poor firewalls?
JT: Organisations can make two easy mistakes
when it comes to security. The first is not
understanding the value of the data and so taking
inadequate precautions. The second mistake
is in inadequate training. Setting policy is very
important, but if people don’t understand the
need for the policy, or they are not reminded of it
regularly then they can try shortcuts.
I’m always reminding people that it’s the mistakes
and not the malice which can carry the greatest