Security incidents nowadays are quite common, almost too common for my taste. The ones you read about are the ones that actually become public, I don’t even want to kow about the ones that are kept secret. I could name a few that I know about as well but the most common one you read about nowadays is about Laptops getting stolen with big amounts of sensitive data on them. I illustrated the 10 worst hickups of 2006 already before but they keep coming apparently.

I have worked extensively in the security business already and I am wondering 2 points:

1. Why oh why are companies NOT encrypting sensitive data if they have to have it on their machines? I mean Truecrypt does not cost anything and it works great even if you want to use it for portable encrypted USB storage only.
2. Why are companies not investing into remote work (access) infrastructures. They rather give sensitive data to people with no security skills (and sometimes no common sense either) who leave their laptops in their cars, then to invest the money they have probably lost in compensation and damage control, into an infrastructure that works.

Why do people take laptops with 1000’s of records home to do data entry or do queries or analysis of that data? A proper remote access infrastructure will allow the users to work remotely over the (very common) broadband lines with a secure VPN tunnel. Yes there are the instances when you have only a modem, but then you just don’t work from home. And no, checking your e-mail is NOT working from home. Working with sensitive data, however, is.

I made a quick and dirty illustration how a remote access grid looks like for those of you that cannot visualize it:

Its simple really. If you have permission to DO work from home there are 3 factors that your company should consider:

1. Is the data save? Is the medium that the data is transported on encrypted?
2. Is it even necessary to transport the data off-site?
3. If it is not, does the user have adequate broadband to do any kind of remote work and if not, should the company pay the DSL/Cable modem bill is he/she is working remotely a lot?

These are all part of the infrastructure and to be honest if these simple factors are considered, 90% of the data misplacement mishaps we have nowadays will disappear.

but as it looks nowadays,companies rather take the hit and pay damages, as they are tax deductible and the cash loss does not look THAT bad with investors. Do you trust these corporations who then also outsource all their data manipulation to a foreign country(!?) with almost 0 control over how it is handled there?

People generally seem to be like sheep since not many are actually standing up to the administrations and force them to make “minimum requirements” for companies that handle personal data (like be accountable if data gets lost or stolen if due diligence is not heeded etc.).

In the end nothing will be done and nothing will change until one day some head of state or governor or something like that will get his/her data misplaced and Identity theft will cause them to take a stand.

It’s all cost savings now…

Popularity: 4% [?]