I remember when seat belts became law in Ontario. It was 1976, I was still in high school, and, ironically, it was the first year I had my driver's license. They must have seen me coming. My dad, God rest his hard-arguing, intensely self-determined soul, made a convincing case that he had been driving all his life without one and was therefore living proof a seat belt was a waste of time and its mandatory legislation yet another senseless political endeavour. Even worse, Ontario was the first jurisdiction in North America to make wearing a seat belt mandatory, so certainly he was being persecuted for our massive failure of insight and choice during the previous election.
The logic of his argument is much the same as what I hear from professionals operating their personal computing and communication devices, including CIO's of law firms with hundreds of lawyers brandishing devices that can grant access to hundreds of thousands of sensitive documents. I see their lips moving, but my dad's words coming out:
"Why do I need to be told to do this?"
"I know it's hurt other people but nothing ever happened to us."
"I'd rather spend money on core business functions than something that may or may not provide a benefit." "What we've always done has been good 'enuf."
Good grief. How hard is it to see that what we do on computers today is the business? We would no more let our children, our most important personal assets, drive around without a seat belt than we would let them play in traffic. But we still resist the idea that an appropriate amount of effort and investment is critical in securing our most important business asset, our information. We guzzle devices in such copious amount it has made a tech company, not an energy company, the most valuable company in history. Then we drive business at the speed of light without a seat belt.
Too far on the analogy? You don't think seat belts that save lives are in the same league as security and backup tools that prevent data loss? Surely they are not. But you should hear the calls I get from folks fleeced of their real estate deposit that never made it to the lawyer because of spyware on their computer, or a 15-year-old business that failed for the lack of a decent offsite backup when a disgruntled employee (no one knows who) had walked off with the backup drives. Within weeks, suspiciously, the accounting server failed.
As big business has become relatively more secure given their substantial resources, (IDC reports financial institutions spend in the aggregate $25 billion annually on security, and most of it actually works), it is abundantly clear in the numbers that small business and individuals have become cybercriminals' easy money.
So what to do. Take a minute now to ponder your data protection situation. As of today, with all of the changes and challenges of the past year, what is on your computers that you really, really depend on? Is it sufficiently protected? And what about all those new mobile devices, especially the ones the staff bought themselves and are suddenly a constant fixture for them at the office, what do they have on them? Are they little unprotected gateways to the network? Think mechanical component failure, malicious software, Internet attacks, and internal threats.
Has your data protection strategy kept pace with your growing treasure-trove of information? In every scenario you play out, fire, flood, theft, data corruption, do you get back up to where you were in at least a couple of days, or are you flying down the freeway without your belt on, thinking since you didn't have an accident yesterday you won't today?
In upcoming posts I will cover why I think the importance of the data we collect has flown way past the effort we take to protect it. Why companies from five to 5,000 increasingly put their capital, reputations and sanity at risk because of a failure to recognize the growing gap between the value of their data and the action they are taking to protect it. And why we are facing new federal legislation in Bill C-12 that will compel us to openly face the consequences of mismanaging the information we invariably stockpile on other people?
I will also explore why some actions we take to protect our data creates a false sense of security that is as dangerous as no security at all, why any form of local backup is already a dinosaur, and why, to a hacker, your system password alone is as about as good as wrapping your data in a big red bow. Cybercrime, among many other serious criminal activities through the Internet, is predominantly the criminal act of stealing financial assets. It has become the most valuable criminal activity on the planet. I'll talk about some ways to keep you out of the fray.
Early adopters who wore their seat belts when they figured out it would save lives fared remarkably better than those who stayed with their practice of the past. There is already no question your business will fare better too if you take heed of the data threat warning signs already around us.
Taking the time to secure access, put up barriers, and encrypt everything in sight, right at the beginning of the design or deployment of a system is essential to protecting your businesses today. An organized and effective process to do this is ingeniously described as Privacy by Design by Ontario's technically savvy and ever-passionate Privacy Commissioner, Dr. Ann Cavoukian. You can find out a lot about Privacy by Design here . It's a good idea not just for privacy protection, but for business protection.
From server to cloud to endpoint devices, data protection is putting on a seat belt before you start the engine. Like seat belts, it needs to become common sense. Oddly, I'm sure my dad would think so too.