How to secure business info: Keep employees off the Internet

There they go again: Trying to scare business and IT executives into buying yet more security tools. This time, it’s a study from ISACA, a repected security auditor’s professional association whose members nonetheless benefit professionally the more they have to secure and audit, listing the top 5 security threats from social media. Its bottom line: Social media are an easy conduit for sensitive information to go where it shouldn’t and for data thieves to find a way to it.

There’s a very simple solution to preventing employees from leaking — accidentally or intentionally — sensitive information: Take away their computers. Or at least disconnect them from the Internet, and do a body search when they leave the building so that you can find any hidden thumb drives, printouts, and CDs. While you’re at it, you might as well unplug their phones, too.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

A joke? No. The fact is that any information an employee gains access to creates a risk, whether it’s on paper or in electronic form. The more conduits a person has to exchange information, the more risk there is of information leaking — so reduce the conduits where possible. That’s much easier than trying to monitor them all and detect what is legitimate sharing and what is not.

Defense contractors do this all the time. One IT leader at a major defense contractor once told me that he wasn’t so concerned about bringing smartphones into the organization as some other people were because he knew the truly senstive information wasn’t on the network in the first place. No smartphone, no matter how secure or vulnerable, could ever access it. And what a smartphone could access shouldn’t be anything you couldn’t afford to be exposed in the first place.

Of course, the real problem with this strategy is that most businesses do better because of information sharing; turning off Internet access and not letting employees use removable media, have paper and pen, communicate on phones, and so on are simply not realistic. What is realistic is to control the access in the first place; trying to detect leakage threats once the information is on any conduit is already too late.

I wish security vendors and IT pros would get off the “we must control everything” kick. It’s not possible, so all you’re doing is creating an expectation you’ll never meet and burn through lots of cash trying to meet them (good for the vendors, but for not their customers). Better to control information at the point of access, on a “need to know” basis.

Will that violate some government reguations? Sure. But the regulations are antiquated, based on a reality that doesn’t exist. The sooner we stop pretending otherwise, the sooner the regs can be revisited in the right context. Will that violate some of your secrets? Probably not — what’ll be different is that you’ll have to stop pretending that they are secrets in the first place. At least then you can focus on the secrets that actually matter.

This article, “How to secure business info: Keep employees off the Internet,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.