Data Loss Prevention Is Becoming Increasingly Complex
As businesses and organisations incorporate an ever growing number of solutions, platforms and applications into their IT operations, it goes without saying that the scope for data loss, and it’s prevention, rises in tandem. It’s a drum we have been banging for some time now but two stories in the news this week further highlighted that there is more than one vector for data loss in modern business – and removing one doesn’t reduce that burden.
First up is the widely reported news that the German government is considering reverting to old fashioned type-writers to counter the threat of the NSA snooping on sensitive communications. If indeed this goes ahead and German agencies start typewriters for confidential documents it will, in essence, be removing one set of data protection problems only to replace them with another. While documents will no longer be directly accessible by the internet, wearables and smartphones mean that they are only a photograph away from becoming digital. We often forget that information in paper files and documents can be just as sensitive, and prone to mishandling, as electronic data – so going offline is not a silver bullet for data loss prevention.
Also in the news this week has been reports that Android apps ask for far too many device and data permissions, leaving businesses that utilise them with a potential data protection headache. With applications often requiring a variety of access permissions both businesses and employees need to be aware of what potentially sensitive data they are making accessible to people outside the organisation. For instance if an application that requires address book access is running on a corporate device do you really want to give that app access to your corporate address book? This obviously adds another layer to, and raises more questions about, an organisations data loss prevention policy.
One week’s worth of news just goes to show that all information, irrespective of format or device, needs to be considered in data security audits and should be covered by policies that govern its access, usage, storage and disposal – even if it is easier said than done!