In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.
In my geek-centric mind, I immediately drew a corollary to computer security. We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.
If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop! Do a quick risk/frequency gut-check to determine whether you’re wasting time. You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.
What are some of the fall-in-the-shower type risks when it comes to data protection? Our State of Data Protection Report from last year highlights a few:
- Only 26% of companies are very confident their data is protected
- 18% weren’t confident at all
- 23% of companies were not confident or unsure where their critical business data resides
- 27% of companies did not monitor any access activity on file servers and SharePoint sites
- 13% of companies never revoke access to data when an employee leaves the organization
- 61% do not scan their environment for sensitive data
Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk. Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.
Want to learn more about risk analysis?
Here are some good resources:
- W. Krag Brotby’s book Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement
- Factor Analysis of Information Risk (FAIR) is a quantitative framework that helps you objectively compare risks
- NIST.gov’s Risk Management Framework (RMF) is a framework to help you select the appropriate security controls for your organization
- The GAIT methodology provides a qualitative approach to risk assessment