Disclosure: I attended a half day seminar on e-discovery where this story was told by Randy Kahn of Kahn Consulting. It got me to thinking and some of this is reflective of some of his talk.
In early Sept 2008 United Airlines stock fell by as much as 75% because of a 6 year old article that found it's way onto Google. The article had no date attached to it and was accidentally re-posted to a newspapers web site. Over the weekend the article started turning up in searches about United Airlines. As investors and automatic investment software saw the article they started to panic and sell shares of United stock and caused the price to fall drastically. Luckily people actually started researching the information and discovered that it was old news and not relevant to present time. Fortunately the stock did rebound and regained most of the loss.
How did this happen? I can't say for sure but it sounds like someone wasn't managing their data very well. How does well managed data get mishandled like that? Obviously there is a legitimate business case for keeping old stories like this around. They are useful for research and such, but the data could have been tagged in such a way to keep something such as this from happening. It could have had restrictions placed on the way it could be used. The problem with this is that it requires technologies to make this stuff happen that unfortunately are not used by many companies. This makes data management and security a nightmare for many.
Unfortunately I don't have a low cost, easy to implement answer to this problem but it is something that needs to be addressed in your company. We all know that we can't secure what we don't know about. We can't secure the data if we don't know where it is, who is accessing it and what they are doing with it. Data has been taken too lightly for too long. It's been treated like it doesn't matter and that it's impervious to loss, misuse or any other bad thing. Sure we play the game and put in firewalls to keep bad guys out and put in a few other things inside the network and on host systems to make us all feel a little better but we aren't managing the data itself. We aren't teaching the DBA's, Server Admins, End Users and anyone else that it is important that it not be tossed around like a rag doll. We're not building the case to Upper Management that having policy with teeth is critical to keeping us safe.
We write policies and set them in their little corner to be pulled out when the auditor asks for them or when someone does something bad, but other than that we pretty much ignore them. We don't train our users on what they say and why they say it, we don't teach them how to follow them. We don't work with the business units to ensure that the policies are even effective and enforceable. We don't meet with legal, compliance and other groups to see how the policy fits into law and regulations. We don't look at how a change to one policy affects other policies and makes them more or less effective and enforceable.
I know that I'm making a wide sweeping statement with much of this and that this isn't the case for all companies. The problem is that it occurs in way too many places because companies and people are just playing the game. They aren't taking their compliance and security programs seriously. They want to check their box and move on. They aren't thinking outside the box and looking at things from a holistic perspective. In today's world where data is king we can't play games. We can't do "just enough". We can't keep thinking that security is a nuisance that we have to live with. Management has to take the lead and hire and equip the right people with the right tools and training. They have to take security seriously and they have to realize that there has to be consequences for what happens to data and the consequences have to fall on the right people and it has to have some pain associated with it or nothing will really change.
