"Information wants to be free" is a gross understatement.
Enterprises blanket their systems with security in the attempt to saturate every data repository with protection. Organizations affirm the logic of layering everything from access management to security zones to safeguard information assets. Yet, somehow, data still leaks. Real world exposure occurs virtually on a day-to-day basis.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Advanced malware attacks get a lot of ink, but careless employees, incomplete policies, and the invasion of consumer technologies create plenty of risks as well.
Here are five places where data sometimes avoids the protective eye of security systems and policies.
Let's start with the most obvious hiding place: Spreadsheets.
Spreadsheets contain fun, variegated, and often sensitive data sets: financials, credit card numbers, HR data. This you knew.
When enterprises neglect security measures like passwords and share these files via email, file shares, and collaboration suites, that data could end up anywhere. Employees endanger spreadsheet data when they connect away from the office to the less secure home and hot spot networks. Lost or stolen laptops, USB keys, DVDs, and smartphones expose the files when security plans neglect disk or file level encryption, or both, says Craig Shumard, CISO emeritus, CIGNA.
Meanwhile, back at the office, spreadsheets are still falling victim to low-tech exposures, such as when employees print them out and leave them lying around.
In one example, shared by a former travel booking industry executive, a good employee with the best of intentions together with poor security put critical data in a bad position. "We found out one of our payroll people had dumped a bunch of data into a spreadsheet and saved it on a laptop, which was stolen. The disk was not encrypted," says Ed Bellis, former CISO of Orbitz. In this particular instance, nothing came of it, says Bellis, but something certainly could have.
So spreadsheets like to wander. This you also knew.
"Spreadsheet" for most enterprises used to refer to Microsoft Excel (unless your career goes back to the Lotus 1-2-3 era). Today, of course, there is a handy cloud-based spreadsheet tool in Google Docs. (More about file synching services in a moment.) So hunting for errant spreadsheet data means looking in more and more places.
Hopefully you knew that too. But have you also considered that even unattended settings may leave gaping security holes as well?
"If you don't take into account how your autosave settings are configured in Excel, the application can create a shadow copy on your local machine, open to anyone who can get to it," notes Adam Gordon, CISO of New Horizons Computer Learning Centers.
SharePoint is Microsoft's file sharing/collaboration/content-and-project-management tool. "SharePoint is capable of handling more than 200 file types out of the box without any customization," says Gordon.
Imagine the data it can unleash.