Everybody's fired up about thumb-drives. ComputerWorld warns us about the dangers of thumb-drives in their article "Thumb-Sized Leaks in Corporate Security" and Hummingbird's recent study about how departing corporate executives steal data hand-over-fist has been getting all kinds of play in the Register and on VNUNet. According to some, it's quite a huge issue:
Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device... And often, the company won't even know the employee has done it. The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines.
Yowsa. Sounds serious. Clearly, all of these things could happen. But when you stop and think about it, the threat of the thumb-drive is not categorically different versus what has been present in corporations since corporations have existed. Why do I say that? Because folks have always carried knowledge (and media used to carry that knowledge) with them from job to job and from task to task. Look, what's the difference between putting proprietary data on a thumb-drive vs. putting confidential documents in your briefcase? Before the briefcase, the knapsack was the "data stealing" vector of choice. Isn't it the case that CEO's, directors, managers, and - yes - even humble flunkies could have walked out the door with proprietary information in the fifties before the PC as we know it even existed? I think human nature is such that we can guarantee an unbroken chain of data theft spanning back to the before time of Solomon; ancient Greeks hiding stone tablets labelled "propietary and confidential" under their togas and ancient egyptians smuggling papyrus under their armbands.
OK, granted that you can fit a lot more information on a thumb-drive than you could fit in a briefcase, but doesn't that mean that folks using the "hardcopy data stealing method" have to select what they steal a little more carefully? In fact, although I haven't studied the matter carefully, I would bet that percentage-wise employees are pocketing about the same percentage of data as they always have - it's just that now there's more of it to steal.
So what's the answer? Clearly, employees are going to steal data. They want to steal it, so they'll find a way. They feel (as we all probably do) that what they do today can be useful to them tomorrow in the next endeavor that undertake; given that incentive, folks will go to fairly far lengths to get their hands on this stuff. Mark my words: take away thumb-drives (or implement some measure to make thumb drives hard to use) and employees will steal floppies - get rid of the floppies and they'll send information out via email - filter the email and they'll walk out with hardcopy - implement airport-style security to prevent walking off with documents and guess what - they'll take it home anyway (as much of it as they can) in their head.
Look, I don't want to be a doomsayer, but it seems to me that this is the kind of battle that won't be solved with technology - it'll be solved by making employees not want to steal the data - either via legislation, litigation, or because your employees are so darned satisfied that they don't want to leave in the first place. But then again, I could be wrong.
Posted by Ed at September 21, 2006 05:23 PM | TrackBack