Simon Says – Musings of a Technology CTO

One common question I get asked when I speak on Data Protection, is “what do I do first” – it’s interesting topic because although my presentation is exactly about what most people should do, and in what order, everyone and every organization is different and one size, absolutely does not fit all.

In my presentation I talk about “5 Steps to Data Protection Nirvana”:

1. Identify Your Risks
2. Encrypt Laptops
3. Take control of removable media
4. Work out what’s important/sensitive
5. Implement DLP

These are based on typical customers, typical needs, typical situations. My team and I arrived at this list through working in our roles over many years, and working with customers across the world, both small and large, the steps though are the most general case, and as step 1 indicates, I encourage everyone to consider their own personal environment when deciding how to attack the problem of data protection.

One example comes to mind – A pharmaceutical manufacturing company I worked with for 10 years or so – After hearing my speech they promptly mentioned that they didn’t actually have many laptops – less than 1% of their estate if I remember right. Their problem was CD’s and DVD’s were going missing. They had solved the lost laptop problem by simply not having any in the first place.

By looking at their business, and spending a few hours “Identifying Your Risks”, we were able to determine that the low hanging fruit for them was to take control of the media problem, followed by printouts, followed by email based protection. Luckily they were implementing security from the board down, and had the full support of the executive teams.

Other companies are not so lucky in having a clear idea of their business processes, especially when the IT security team is the poor relation to the rest of the IT and Business staff. In these cases it’s often helpful to see what your peer companies are doing.  Resources such as DataLossDB.org and the Information Commissioner’s Office are great places to see what breaches are being reported, and from who.

Take the ICO for example – a brief look through today’s reports shows:

• Pension Authority – Lost unencrypted CD
• School – Theft of Memory Stick
• NHS Trust – Unencrypted Laptop Stolen
• School – Theft of unencrypted PC
• Highland Council – Sensitive information sent to wrong address
• County Council – Theft of two unencrypted laptops and one unencrypted memory stick
• District Council – Theft of unencrypted laptop
• Insurance Company – Loss of unencrypted backup tape
• Insurance Company – Theft of 8 unencrypted laptops
• NHS Trust – Theft of unencrypted laptop

You can see, though we have education, medical, government, and insurance represented, there are a lot of “removable media” and “stolen unencrypted computer” notifications. Maybe they are good places to start looking at protection strategies?

You can do your own more detailed analysis of the data of course, and I welcome conversations about your decision making processes, but the important thing is to start the ball rolling. Don’t try to do everything at once, look for the low hanging fruit projects which will give you the most protection given a short (say 3 month) project window. Once that’s done, re-evaluate and start on the next target.

Step 1 in my mantra, “Identify Your Risks” is probably really to make sure that steps 2 onwards do indeed meet your requirements.

Of the companies mentioned above, I hate to say it but two of them have already bought products to solve their breach problem – they simply have not “got around” to using them yet despite owning licenses for a year or more. Perhaps the message is still to filter down from their parent organizations that protecting your and my personal information, is something they must do.

Data Protection is a little like herding cats – start with the fat ones you can catch, then work your way to those sly mousers…