(Originally posted on the Iron Mountain Information Advantage Blog, November 20 2013.)
Leaving things on the train or in a restaurant, or in fact anywhere is an unpleasant fact of life for many of us. I would guess that almost all the readers of this blog have at some point left their keys, wallet, shopping, hat, gloves, children, scarf or phone somewhere or other. On occasion, such lapses in concentration can be upsetting, costly, or embarrassing and in some rare instances even dangerous. But in most cases what we leave behind is either easily replaceable (gloves), insured/covered (bank cards) or worth the cost to change and replace (keys). It’s very rare that we leave and lose something irreplaceable (presumably you found the kids!). This is because the items we treasure often have significant intrinsic and/or emotional value. A good example would be family heirlooms, passed down from generation to generation; we treasure them and therefore take care to protect them, storing them in a safe (or at least a safe place) to be taken out only on special occasions.
What about leaving data somewhere? It wasn’t so long ago, that civil servants and the MOD were criticised frequently in the media for leaving highly sensitive and valuable data exposed in public places. Rarely, it seemed, did a day go by without the Daily Mail bemoaning the inability of the public sector to protect our data. Headlines called for heads to roll. And yet, invariably, these were just the kind of simple, human mistakes that every one of us have made in one way or other. These days, however, the vast majority of data is (or at least should be) encrypted, both when it is on the move and when it’s at rest. Consequently, the loss or theft of encrypted data may now raise fewer eyebrows.
Printed matter, however, is another thing entirely. You can’t encrypt paper documents, and paper is very difficult to secure during transport, without somehow physically attaching it to your person. Taking sensitive documents from one location to another, so often a necessity, quickly becomes a thing of peril. Conceptual drawings, designs, technical drawings, mock ups etc. will often need to be taken to a client site or a manufacturer, and sometimes cannot be sent electronically. After a successful pitch and a few celebratory drinks afterwards those documents could all too easily be left on the night bus to Neasden, unprotected and full of intellectual property and sensitive information. A breach like that can so easily turn a night of celebration into a morning of embarrassment and apologies, followed by the inevitable search for new clients.
Protecting printed documents is difficult, probably more difficult than electronic information, and yet we seem to put all of our efforts into the very latest and best encryption, protected USB keys, and expensive data loss prevention (DLP) initiatives. It’s easier to put in place a technology, especially a “transparent” one than it is to change behaviours.
I would suggest that the information security community needs to address this disparity; the paperless office hasn’t transpired, the digital documents are secured, but paper has been left behind. How can we address this without handcuffing briefcases to people? As usual, it has to come down to awareness, we need to drive home the message that paper should be transported with the same care as electronic records, observing sensible procedures such as ensuring there are always two people present when travelling with paper (to act as more of a reminder than as a physical protection) or even only couriering them with a specially selected and reviewed vendor.
I don’t want to turn the Chief Information and Security Officer into a George Smiley type character, but I do want all of our sensitive records to be treated with the same level of protection irrespective of format.