Little Red Riding Hood Was Neglected
October 1, 2007
Something occurred to me recently when I was reading "Little Red Riding Hood" to my children: Her mother was negligent. She sent a six-year-old girl alone out into a forest, knowing full well that there was danger lurking beyond the safety of her front door. Sure, it was unavoidable that the basket of goodies had to be taken to grandma's house. But not only was the child offered no protection on the journey, she also wore a bright red hood for all to see as she made the trip across a forest where there were known dangers.
So what does this have to do with our networked world? Everything. Ask yourself what your business' most important assets are. Chances are that most, if not all, of your prized assets are in digital format. Whether it's your own intellectual property, strategic plans, financial status, or customers' private information that you have been entrusted with, it is information that must be guarded--and vigorously protected. It must only be seen and shared among those you trust, because it has no inherent protection. Once the bad guys have it, they have it.
There are many tools at your disposal, and most intelligent and conscientious business and information technology leaders have deployed them. You do not want anyone just "walking in" and seeing your information, so firewalls are installed. You do not want anyone trying to break in and take your information, so intrusion detection systems are installed.
You may only want some of your employees to have access to the information, so authentication and permissioning systems are installed. In many cases you do not want a misplaced laptop with your information on it to be found and exploited, so you encrypt the hard drives, or keep the data off the laptops altogether. And if you are sharing your data between trusted sites overseas, or over third-party networks ("through the forest," you might say), you don't want the information to be siphoned off the network as it passes by, so you encrypt or hide your data in motion. (You do encrypt your data over third-party networks, don't you?)
Failure to Protect
The truth is that many financial institutions (and other businesses) don't encrypt their data. Billions of dollars are spent every year on IT security, creating "walled gardens" in an attempt to keep the bad guys off privately owned networks because that's where the data is, or at least that is where it is stored. But then, inexplicably, and without a moment's hesitation, we send that precious data beyond the secure perimeter, and onto a service provider's network, despite the fact that they make no guarantees regarding its security and integrity. Our data can then be sent over any network that the service provider outsources to, without us ever knowing who or where they are.
We also send our precious data over foreign-owned networks, despite the growing threat of organized crime moving into data theft, knowing that many of these emerging markets have, at best, weak intellectual property enforcement. We send it in clear text, right into the gaping jaws of the big bad wolves out there, with no protection whatsoever.
We knowingly send it this way, hoping that the big bad wolf misses us this time. If and when you do this, you are no more a good steward of your company's assets than Little Red Riding Hood's mother was a caring protector of her only child.
