Would you behave differently in a shared office?
How would you change your behaviour at work if you knew the person seated one desk over worked for a competitor?
How would your behaviour change if you knew the person one cubicle over was about to work for a competitor?
What if you knew that your cubicle neighbour was going to lose her job (be fired or laid off) in the next six months? Do you think she’d be looking to work in a different industry, or the one where she had the most recent experience?
What if the economic situation was such that you just couldn’t be sure who in your office would still be with you a year from now?
How would you protect your data then?
My point is less about pointing out that the current economic situation seems very like this harsh threatening landscape, but to ask you to consider that the answer to this question is actually the answer you should give all the time.
A recent study from Ponemon stated that six out of ten departing employees will take data with them as they leave, whether that’s customer data or business intelligence. Why do they do this? Well, we could get into the whole motivation of why, but the real answer is simple:
Because they can, and because they think they can benefit from doing so. Not because they won’t get caught – because, really, what are you going to do, fire them?
Behave (and design!) as if you’re in an open environment.
Design your data and processes around the idea that important, private, or proprietary data should only rest with individuals or in stores for as long as it is needed to do the job at hand.
After that, then what?
If you no longer need it, or can reconstruct or re-collect it when you next need it, why not just destroy the data?
If you need it, return it to a secure data store, from which it can’t be fetched again without business need, and appropriate authorisation.
If you never needed it in the first place, why collect it at all?
Protecting systems, networks, applications – that’s just resiliency and protection of a few thousand dollars of assets. The real money – and the real requirement for security protection – is in the data.
Act (and architect!) like the data is, AND isn’t, yours.
I used to say that people should “act like the data isn’t yours in the first place” – makes logical sense, doesn’t it?
Sure, if you think that way – if you think that you should be careful with other people’s possessions that they’ve loaned to you.
Over several jobs and several years, I’ve come to realise that we aren’t all of the same species of thought. Some of us are careless with other people’s possessions, and are only concerned with taking care of what’s ours.
So, my explanation has changed – now, the explanation is still that the data doesn’t belong to us, but we have possession of it, and therefore we, as application designers and architects, have a double requirement to be careful with it. We must protect it because it isn’t ours, and we must protect it because it is in our care. To be loose with other people’s data would be to cause them damage, and to be loose with data in our care would be to cause our business damage by reducing the value that we get from holding that data.