Humans Are the Weakest Info Security Link: Technology Alone Cannot Guarantee Compliance Nor Prevent All Information Leaks

Today a press release came from an information security vendor from my neck of the woods, Palisade Systems

The press release discussed the results of a survey performed by the vendor that "concluded accidental or malicious data leaks by employees pose the biggest data security, monetary and compliance threat to organizations."

Indeed.  Humans always have been and always will be the biggest vulnerability and threat to basically any type of business function, including information security and privacy compliance. 

I did not contact the company to request a copy of the study results.  However, I found it very ironic that they used the study results, concluding that people are the weakest link in information security and compliance, to then have the vendor CEO basically state that his technology product will prevent sensitive data leaks.

"By combining our content monitoring and blocking technology with ZixCorp’s encryption service, we will now be able to guarantee another level of content security to organizations that require their confidential data remain confidential to only authorized personnel," said Kurt Shedenhelm, CEO and president of Palisade Systems. "While competing vendors provide pieces of an overall content security solution, Palisade and ZixCorp deliver a completely integrated solution that ensures private content is protected even after its been checked and approved internally for outbound delivery."

It bothers and concerns me when vendors make guarantees, especially about security and compliance.  It bothers me when I see claims that a technology product alone "ensures private content is protected."

Just quickly off the top of my head I can think of two situations in which technology is probably not going to be able to stop the leakage of sensitive data from a network.
1)  Sensitive data within encrypted files
2)  Sensitive data transferred out of the network via a network user’s personal email account via a browser front end and webmail

I know these two situations happen within organizations all the time.  I know that even if an organization has blocked access to the most common types of webmail, such as Yahoo, AOL and so on, it is trivial for people to have their own domain name on their own ISP and mailserver using webmail that is not blocked by the filters on the network.

I admit, I know nothing about the Palisade product other than what was written in the press release. And, perhaps there is something it could do about the webmail issue…but I’m not sure…

The situations I mentioned are only two possibilities; there are many more covert, and overt, ways in which data leakage can occur from a network, as well as, of course, non-network ways.

Yes, using good information security technologies to help prevent the leakage of sensitive data will lesson the leaks, and it will also demonstrate due diligence on behalf of the organization.  Yes, it will help to meet a subset of compliance requirements for many different data protection laws and regulations.  But, that is just part of the complete solution for preventing as many data leaks as possible, and for meeting all compliance requirements.

Information security, privacy and compliance take much, much more than technology.  I’ve seen too many SMBs and, frankly, gullible organizations of all sizes, purchase technology products and install them thinking they are then in complete compliance with data protection laws and regulations, only to have a rude awakening later when they get audited, being told they also need policies, procedures, training, awareness and other administrative requirements from the regs.  Or, worse yet, discovering after an incident occurred that the technology alone was not the complete solution after all.

Technology alone will not make any organization completely compliant with any data protection law or regulation.

That’s worth a deja vu…

Technology alone will not make any organization completely compliant with any data protection law or regulation.

Technorati Tags






Leave a Reply