Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Content Filtering

It’s 2013 – Do you know where your sensitive corporate data is?

By Leave a Comment

Data File Security

Data File Security

There was a time in the 1970’s through about 1995, before the modern Internet, when the person who managed your Information Technology could say with absolute certainty that he or she knew all of the possible entry points in to your network and exactly where your sensitive corporate data was stored.

In the early days of Information Technology, data resided on a mini-computer or mainframe that was installed in a special room that was physically locked in the center of your office space.  Green Screen “Dumb” terminals were the only way to access the Corporate Data.  There was no connectivity to the outside world.  The only way data entered or exited your office was on paper or possibly a heavily guarded backup tape in-transit to an off-site storage location.

In the late 1980’s, the Green Screen “Dumb” Terminal begins to be replaced with the “Smart” Personal Computer.  In fact, the mini-computer and mainframe for many applications also begins to be replaced by more powerful Personal Computers known as Servers.  With the dawn of the Personal Computer, came the Floppy Disk, Zip Disk, and similar precursors to the modern day USB Flash Stick Drive.

Even though data was now being created and stored outside the highly secured “Server Room”, the Information Technology Manager still had a significant amount of control as floppy disk drives could be disabled.  Data stored on Floppy Disks or Tape had the potential for “mobility” but could be serialized and tracked like any other corporate asset.

Few PC’s had direct communications capabilities to the outside world and even if they did, Modems were extremely slow.   Since Modems used regular phone lines, and all pricing was “per minute” it was easy, even if after the fact, to notice a multi-hour phone call to AOL or Compuserve (early online services) and investigate.

Data, up until the turn of the century, mostly left an organization the old fashioned way:  on paper.  Again, depending on the volume of information being printed, the Information Technology person might notice excessive printing activity and then investigate.

After about 1995, with the accessibility of the Internet starting to become common place and significant price drops in the cost of Personal Computers, for the first time, an employee might actually be able to take data from the office and bring it home to continue working on it.  Communication speeds increase dramatically and now instead of taking hours for a file to be transferred via Electronic Mail or a File Sharing Service, it takes minutes or seconds.

It is at this point in the timeline of the modern computer era that the Information Technology Staff can no longer say with any certainty or confidence that they “know were all of the corporate data is.”

No longer is the transport of sensitive corporate data limited to that which could be physically carried out the door on paper or a disk, but now it can be sent across town or across the country or globe in an almost untraceable manner over the Internet.  I say almost untraceable because the tools were not widely available to the average Information Technology person, nor was there a mindset, of securing and tracking both the creation, management, and transport of sensitive corporate data in the majority of businesses.  (Banks, Public Companies, and Government Agencies are generally the exception.)

As the realization hits home that data has become mobile, technology catches up and businesses start to create policies and implement tools that are able to track the movement of sensitive information within an organization and in many cases prevent it from leaving the confines of the company.

Tools to accomplish this include the ability to log the username of every person who accessed specific files, such as Microsoft Word Document or Excel Spreadsheet for real time or after the fact review (audit trails); Advanced Content Filtering Firewalls that can scan every email and attachment going in and out of a company via the Internet looking for key words that might indicate a security breach or espionage; and, Company Policy Manuals that explicitly and politely remind employees about the definitions of “Confidential” and “Proprietary.”  Even though most every Personal Computer has a USB or CD/DVD drive, the Write functions can be disabled or password controlled as an added measure of security.

So when you walk in to your office today, take a look around and ask yourself, “Do you know where your sensitive Corporate Data is?”  And, more importantly, “What have you done to secure it?”

If you or your Information Technology person cannot answer this question with the same certainty of 30 years ago, engage a Data Security Professional who can help put the “Genie back in the Bottle” and keep your sensitive corporate data secure.