Wikileak’s release of thousands of classified American diplomatic papers has shown up something not just about securing information, but also human nature. Leave somebody alone with a precious asset for eight hours a day, seven days a week, eight months at a stretch – you do the math.
Given those circumstances, it would not be long before most people would start to get similarly interested in that information and think about how they might extract it. Using a Lady Gaga CD as the vehicle of choice just adds a pleasingly quirky twist.
Beyond the particulars of how the alleged perpetrator did it, however, there sits a potentially more important lesson. It has revealed that the number of Americans authorised to view documents classed as secret is nearly three million. These were not single copies of a document kept in a locked safe for viewing by just a handful of spies – they were in wide circulation.
Now consider just how many people in your own organisation might be handling sensitive or personal information. At a presentation by one major utility I saw last year, seven out of ten of its staff were said to be using customer records in some form. That means tens of thousands of people routinely handling a key asset.
Access to data is growing. In a recent survey by Informatica, 86 per cent of companies said staff outside of the IT department could access data, while 94 per cent of sales and marketing professionals said they had created their own databases. Customer records are multiplying and being held locally as well as centrally. With that extension of access comes greater risk.
Add to that the growing demand from customers for mobile access to services and information and the problem gets even bigger. Mobile data is harder to secure and easier to intercept, yet that genie is long out of the bottle.
In the case of the current diplomatic embarrassment, the reason for the data theft is public interest. The soldier alleged to be responsible is claimed to have said he felt the information needed to be public. As a journalist, I have a lot of sympathy with that view.
When it comes to personal information and financial data, there is no such argument. Your data only gets leaked through carelessness or crime. Given the significance of the risk from an insider, there is really only one way to guard against that – by making sure your company has the right data culture.