Don’t Send The Password With The Data

It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is - as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!

These are great examples of where the people, process and product story has broken down. In both cases encryption is the technology - and that works to protect data. The process is in place - encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete - what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) - why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here - in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it - no disclosure - even if the password was on a note!

Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.

How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide - it’s your organization. Just make sure that there is a policy and people know what it is.


Your Password Here

May 9, 2008 | Filed Under Information Policy, data-loss | Leave a Comment 

Don’t Take Sweets From Strangers

We spend a lot of time educating children about the dangers of strangers. Don’t speak to strangers, don’t get in cars with people you don’t know and don’t take sweets from them. This education starts from an early age and so becomes part of their philosophy.

It is time we do the same thing for information that is requested online - and the education needs to start just as early. Why would you give your name and address to someone online when you wouldn’t dream of doing the same thing if someone asked you for them in the street? What about credit card and bank details - of course not. But… online… well anything goes. When you do need to use a credit card, in a shop, then you are ‘in the shop’ and that goes a long way to  that it is a bona fide shop which has a (hopefully) good reputation - when you are online how do you know who you are dealing with? What additional precautions do you take to ensure that you will not be ripped off, or become another identity theft statistic?

Of course this is not just about children - it is about everyone who is active on the Internet. Education that changes behaviour is tough - the earlier you start the more you remember and the behaviour becomes second nature.

At the moment, I guess most cyber-criminals talk of their latest exploits and the gullibility of their victims as “it’s as easy as taking candy from a child”.

April 11, 2008 | Filed Under Reputation, security | Leave a Comment