TOP SECRET

For many companies, particularly those in the high tech world, the most important assets are not inventory, buildings, cash, or even people.  For quite a few companies, their most important assets consist of streams of electrons—data.

Think about it.  What would cause greater harm to your employer:

1. A fire that destroyed the warehouse.
2. The loss of electrical power for a couple of days.
3. Embezzlement of $100,000.
4. A disgruntled employee selling your customer and prospect list, along with your source code, blue prints, and internal documents to the highest bidder.

I’m going to go out on a limb and say, #4 in most cases.  Yet, which do we guard and insure against?  Numbers one, two, and three.

Recently (2010), a website called WikiLeaks has published hundreds of thousands of the most sensitive and secret documents of the US government.  Now surely the force and might of the United States government is an awesome thing.  How did this happen?  Was it a James Bond like character or a sophisticated hacker?  No, it was allegedly a young Army private who had legitimate access to vast amounts of classified data and who downloaded it onto a CD. He then got past the guards by labeling the CD as Lady Gaga music.  What a master criminal!

Think about this:  Is your business data safer than the government’s secrets?  I sincerely hope so, but I doubt it.  What measures do you have in place to monitor users for unusual work patterns?  If a salesperson suddenly started exporting every report on your CRM system, would you notice?  When someone leaves, do you have a way to audit their activities?  Do you enforce password policies on SaaS logins?  Are you sure your users haven’t shared their access with other employees or worse, outsiders?

These are tough questions and I have more worries than answers.  Right now, all we can do is cook up home brew audit tools, try to enforce security policies that are inherently unpopular with management, and pray.  If the Cloud is going to mature and become the driving force in business like I think it should and will, we must demand that vendors start baking security in from the very first line of code.  This is far, far, too important to be left as an afterthought.