If Metcalfe’s Law shows that the value of any communications network increases in direct proportion to the number of connected users, Murphy’s Law suggests it’s only a matter of time before one of those connected users does something to compromise the integrity of the information being exchanged.
One significant lesson to be learned from any data breach incident is the high cost of human error. In too many cases, failure to comply with information privacy legislation or the leaking of sensitive data boils down to any organisation’s capacity to get a firm grip on exactly who is handling their data – and why.
Incredible as it may seem, many organisations seem to have tighter control over the processes for re-stocking their global stationery cupboards than they do for how, when, why and by whom sensitive information should be used and shared. Small wonder, then, that CompTIA’s IT Security in the Workforce study found that one in five organisations say they ‘definitely’ experienced sensitive data loss in 2011, with 32 per cent saying it was ‘likely’ that they had done so.
Nailing down all your company’s information seems like an onerous task. But there are simple steps any organisation can take to reduce the risk of human error without shutting down communications. In the case of misdirected email – a leading cause of data leakage - organisations can use deep content inspection and true file type analysis to establish the sensitivity or integrity of any information before allowing it to be exchanged. Based on company-defined policies and settings, certain types of information can be encrypted automatically, without requiring any intervention by the user.
Organisations can take the extreme approach of configuring email gateways to quarantine all outbound email, forcing users to think twice before and after they’ve hit the send button. Or they can inject flexible controls into the equation and only quarantine mails that match specific criteria, such as those with attachments, messages containing credit card numbers or going to certain addresses. By diverting potentially sensitive content to a personal message manager portal, senders can review messages, releasing them only when they’re absolutely certain it’s appropriate.
These approaches do add an extra step to the email sending process, but it’s a short one and the payoffs in terms of data protection are significant. As the UK’s Information Commissioner’s (ICO) head of enforcement, Stephen Eckersley, has said, “One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient.”
Just this week, it was revealed that the ICO has issued over £1m in fines for data breaches since April 2010. New EU directives on data privacy will see penalties of up to 2 per cent of global annual turnover for organisations that breach data regulations. Globally, some of the world’s most respected brands have found themselves in the spotlight for all the wrong reasons; financial penalties aside, the reputational damage that follows in the wake of a data breach can linger long after any fine has been paid.
That’s a heavy price to pay for an errant click of the ‘attach file’ or ‘send’ button.