Fresh Thoughts #113: Do You Know Where Your Data Is?
- Newsletter
Have you ever made a personal copy of business data?
I'm not talking about printing an email in case the content is lost.
Instead, have you made a copy of business data that "could be useful in the future"...
Personally - I have not.
However, over the years, I have worked with people who have.
While their actions likely breached a written agreement, their intentions weren't always nefarious.
Sam
Early in my career, Sam moved from industry into academia.
As part of the move, Sam made a backup copy of the company design server, which contained all of the intellectual property Sam had worked on over the years.
Sam had intimate knowledge of the designs.
Each could have been recreated and tested with time.
Sam's motivation behind the backup was time-saving.
If a student or researcher proposed a similar design - it would save months of research and testing time.
And act as independent validation against faked experimental results.
Was Sam wrong?
There weren't any consequences to Sam's actions.
Alex
A few years later, I met Alex.
Alex moved to a company that supplied products to their previous one.
Before moving, Alex made a copy of the internal directory containing their former colleagues' names and contact details.
Each contact would have been gladly provided on request, but why wait?
Why risk the burn-out of former colleagues by making repeated requests?
Was it wrong to make sales faster?
Again, no problems were created by Alex's actions.
Tom
Finally, I was asked to investigate Tom.
The long-time Head of Sales for a newly acquired subsidiary who "left to do something new".
Unfortunately - Tom took a copy of the customer list and purchase history.
He had personally sold to most of the largest customers - so each contact could have been redeveloped.
In the first few months after Tom's departure, nothing much happened.
But then, over the next year, 20% of customers had "found a different supplier".
After two years, that had increased to 45%.
By the time three years had passed, the subsidiary was loss-making and no longer economically viable.
The rumour during these years was that Tom had set up in competition but had been careful to avoid being named as a director.
Unfortunately, when I was eventually asked to investigate and found the rumours correct, the situation had progressed too far to be saved.
Controlling Copying of Sensitive Company Data
These stories have come to mind repeatedly over the last few weeks as I've been talking with customers about Conditional Access.
The challenge is not about who has access to sensitive data.
In each case above, there was a valid business need to access the data.
The crux of the problem is - how to stop sensitive data from leaking outside of company control.
I have become accustomed to asking three questions:
1) Is it ok for staff to work remotely?
Almost universally, the answer is - Yes.
"We need it for resilience."
2) Is it ok for staff to use personal devices?
Sometimes, the answer is - Yes.
Sometimes - No.
It depends on the situation and often the budget to buy phones for staff.
3) Is it ok for staff to save a personal copy of sensitive company data?
Universally, the answer is - No.
However, unless there is an acceptable use policy in place...
And processes to enforce the policy...
What stops staff from taking personal copies of sensitive data... just like Tom?
Fortunately, with planning, Conditional Access policies allow personal devices to access data while maintaining control over where the data can be saved.
This is why Conditional Access policies are critical to business cybersecurity.
April 9, 20243 Minutes Read
