RETURN ON TECHNOLOGY: Protecting company data not always worth the effort

Like monkeys in cages, data seems to want to be free, and will connive ways to break out of restraints. Many times it takes advantage of human carelessness, as it did in Iraq recently. Two reporters were wandering through one of the Iraqi bazaars that have sprung up outside U.S. bases, and which feature items discarded by Americans, such as old boots and broken tools. The reporters saw a number of what the media has been calling “computer drives.” These appear to be the popular “USB drives,” also known as “zip drives” or “thumb drives.” The drives plug into USB ports, those rectangular receptacles most computers now have in abundance.

The reporters, curious, bought several of the drives and checked them for data. One after another proved to be unusable or defective, but then they found a few that had really sensitive data on them, such as photographs of Air Force One, soldiers’ personal information and defensive layouts of U.S. installations.

Of course, the military is embarrassed by all this, and aghast at how it could happen. No good cybersecurity specialist would have blinked twice, though. There are dozens of cracks in any organization for data to escape through, but the vast majority involve human screwups.

“Black hats,” known as “social engineers,” have used human weakness for many years. It’s much easier to sweet-talk a password out of a thoughtless human than to wend one’s way through a thicket of network servers. Today, as data storage methods become ever smaller and more portable, millions of dollars can conceivably be lost by mislaying a device the size of a pack of gum. Some thumb drives can now store more than a fully loaded data CD. For many small companies, one gigabyte of storage could probably hold most of their data.

We may snicker behind our hands at the military’s discomfort, but most of us are in the same boat, if not the same bazaar. Employees may well be popping data onto thumb drives, and you’re not even aware of it. Or they may be burning data CDs. They may be using these devices as backups, but just the same, your data has just become airborne. Employees take work home. Contractors keep backup copies. Managers have to tote spreadsheets into meetings. Salespeople have to transport presentations. The problem isn’t portability; data in today’s world needs to be portable. The problem is human fallibility. We aren’t careful enough.

Part of the problem also stems from the need to work collaboratively, within technologies that don’t permit easy connection. Several people may have to work on a presentation, but they may be away from the office and can’t use the local network. So out come the thumb drives. Like viruses, the data files proliferate from computer to computer. What started out as a single copy jingling in a pocket ends up being replicated over and over again, and perhaps placed on yet more thumb drives. All this presumes that your employees are just getting around technological limitations. The picture darkens even more quickly if a renegade employee is actively stealing information.

Security experts abound to tell you how to lock up your data, but their advice is rarely taken. And why not? Because most of it isn’t practical. Business for most of us is a rapid-fire, roadrunner-like affair that brooks no delays. Security slows things down. Imagine having to check out and check in official company thumb drives. The clerk is busy, or the thumb drives are all gone, or something else keeps your salesperson from the road for an hour. Your data is far safer, but at the cost of lost business. Most data just isn’t as valuable as new business. Even the Iraqis probably couldn’t make decisive use of any of the data on the military drives. They could find most of it elsewhere, anyway.

The fact is that no matter what you do, security will be breached. The military supposedly searches every Iraqi going in and out of the base, yet drives kept making it over the wall. Here at home, even those supposed security-manic agencies-the FBI and the CIA-have been penetrated and heavily compromised. The CIA got into the KGB. The KGB had “moles” for decades inside British intelligence. And so it goes.

The reality is that, given the pace of today’s business, data is rapidly outdated anyway. Last month’s revenue figures recede into the rear-view mirror. Prices change constantly. The best security approach might be to identify which data is worthy of high security, like employee Social Security numbers, and which data can be risked, such as preliminary drawings, presentations and price lists. Keep the former locked up at home, available only by secure login. Keep the rest in circulation, making money.