Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Survey Forecasts Increasing Numbers of Data Breaches: Business Leaders Need to Support and Invest in Security | Main | Insider Security Threats: More Examples of How People Are Your Weakest Information Security Link »

Humans Are the Weakest Info Security Link: Technology Alone Cannot Guarantee Compliance Nor Prevent All Information Leaks

Today a press release came from an information security vendor from my neck of the woods, Palisade Systems

The press release discussed the results of a survey performed by the vendor that "concluded accidental or malicious data leaks by employees pose the biggest data security, monetary and compliance threat to organizations."

Indeed.  Humans always have been and always will be the biggest vulnerability and threat to basically any type of business function, including information security and privacy compliance. 

I did not contact the company to request a copy of the study results.  However, I found it very ironic that they used the study results, concluding that people are the weakest link in information security and compliance, to then have the vendor CEO basically state that his technology product will prevent sensitive data leaks.

"By combining our content monitoring and blocking technology with ZixCorp's encryption service, we will now be able to guarantee another level of content security to organizations that require their confidential data remain confidential to only authorized personnel," said Kurt Shedenhelm, CEO and president of Palisade Systems. "While competing vendors provide pieces of an overall content security solution, Palisade and ZixCorp deliver a completely integrated solution that ensures private content is protected even after its been checked and approved internally for outbound delivery."

It bothers and concerns me when vendors make guarantees, especially about security and compliance.  It bothers me when I see claims that a technology product alone "ensures private content is protected."

Just quickly off the top of my head I can think of two situations in which technology is probably not going to be able to stop the leakage of sensitive data from a network.
1)  Sensitive data within encrypted files
2)  Sensitive data transferred out of the network via a network user's personal email account via a browser front end and webmail

I know these two situations happen within organizations all the time.  I know that even if an organization has blocked access to the most common types of webmail, such as Yahoo, AOL and so on, it is trivial for people to have their own domain name on their own ISP and mailserver using webmail that is not blocked by the filters on the network.

I admit, I know nothing about the Palisade product other than what was written in the press release. And, perhaps there is something it could do about the webmail issue...but I'm not sure...

The situations I mentioned are only two possibilities; there are many more covert, and overt, ways in which data leakage can occur from a network, as well as, of course, non-network ways.

Yes, using good information security technologies to help prevent the leakage of sensitive data will lesson the leaks, and it will also demonstrate due diligence on behalf of the organization.  Yes, it will help to meet a subset of compliance requirements for many different data protection laws and regulations.  But, that is just part of the complete solution for preventing as many data leaks as possible, and for meeting all compliance requirements.

Information security, privacy and compliance take much, much more than technology.  I've seen too many SMBs and, frankly, gullible organizations of all sizes, purchase technology products and install them thinking they are then in complete compliance with data protection laws and regulations, only to have a rude awakening later when they get audited, being told they also need policies, procedures, training, awareness and other administrative requirements from the regs.  Or, worse yet, discovering after an incident occurred that the technology alone was not the complete solution after all.

Technology alone will not make any organization completely compliant with any data protection law or regulation.

That's worth a deja vu...

Technology alone will not make any organization completely compliant with any data protection law or regulation.

Technorati Tags






 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 3, 2006 5:59 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/195

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.