Moore's Law and risk
Gordon Moore's observation on falling prices for processing power has held for over 40 years35.
A corollary has been falling prices for digital storage and a rise in the types and speeds of communications networks36. However, these trends may have caused a corresponding growth in the risk associated with information leakage and data theft.
A memory stick costing a few dollars can hold tens of millions of items of data37. A terabyte drive costs under $20038. Media players with hundreds of gigabytes of storage are available for several hundred dollars, but more importantly, unlike terabyte drives, can be taken into the workplace without arousing suspicion39. Software designed to facilitate the transfer of files onto MP3 players is easily available from the Internet40.
Yet at the same time, confidential files, such as an individual's social security number, occupy the same paltry number of bytes as 10 years ago. It is therefore becoming ever easier for massive volumes of sensitive data to be lost or stolen.
The basic principle of Moore's Law has also applied to bandwidth: speeds, over fixed and wireless networks, have become ever faster. As speeds have risen, modems and routers used to connect to networks have required replacement. Obsolete communications equipment, that has been discarded or sold on, may still have passwords saved on it, which could allow the new owner to access confidential networks. If this hardware were to fall into the wrong hands, it could be used for multiple accesses to an organization's data41.
In 2009, over a billion items of personal data may be lost or stolen, and thousands of companies' data losses may be made public42. And it is likely that in many other cases, companies may never realize that their data had gone missing, or that intruders were regularly accessing their networks.
Bottom line
Risk needs to be mitigated by responsibility.
Employees at all levels need to be trained, ideally via in-person training, in how to minimize data risk. In some cases, it may be appropriate for the IT environment to be made secure by default. In other words, all stored files should be encrypted.
The growth in practices such as working while traveling, or working at home, can improve productivity, as well as address work-life balance. But any such innovations in working practices should be accompanied by a thorough appraisal of how they change the risk profile. In some instances, if highly sensitive data is involved, workers may have to be prohibited temporarily from working while in transit or in any potentially insecure location. Employees should be encouraged not to keep back-ups of files on personal storage devices, no matter how good their intentions may be.
Companies should develop policies not just for the deletion of data, but also for the secure disposable of any equipment that has held sensitive data, whether customer records or passwords providing access to internal networks.
IT departments should also consider alternatives to standard passwords, which may simply not be sufficiently secure. Passwords were designed by engineers, for the use of engineers. They were not originally designed for mass market use. IT departments may need to create new, easy to use, more secure alternatives to passwords, such as biometric data43.
There may also need to be firmer restrictions on the use of corporate IT by members of an employee's immediate family. For example, letting children use a laptop that also holds any sensitive data, in commercial or personal contexts, may be asking for trouble. For regular home workers dealing with confidential data, a secure, locked room may become a prerequisite to working outside of the office.
Companies should also remember that data loss is never likely to be confined solely to digital environments; compromising records on paper are still occasionally found in dumpsters. Loss of analog data, and the need to secure analog copies, should not be overlooked.
Related service offerings:
Audit
Enterprise Risk Services
Security & Privacy
Data
Consulting
Technology Integration
