Security.nl a Dutch website focused on computer and internet security conducted a poll from which – according to their latest newsletter – it transpired that currently awareness education/training is considered the most popular solution to prevent leaking of sensitive information. Last year 34% of the readers considered encryption the most suitable prevention tool, this year 44% of the respondents considered awareness training the most preferable solution. This is claimed to be a remarkable move upwards from 27% last year with encryption chosen by only 30% of the respondents. Consistent was the 8% of respondents that opted for storing less data.This according to the latest newsletter.
(Pleasantly) Surprised by that outcome I checked the respective poll on the site to find that this report was based on 679 votes which seems hardly adequate to draw any general conclusions from this poll. At the same time however daily reality can not come to any other conclusion than that awareness is your first key step, despite the importance that encryption may or may not have.
It cannot be denied that in many nowadays situations, encryption is only part of the solution. Especially the social web and social engineering have become important “weapons” in the arsenal of those that do want to get their hands on sensitive information. Years ago, Kevin Mitnick, already predicted that the human factor would be the one most important in the information security area, and that advice, in my view, still remains as current as when it was made.
Reading the reactions to the poll, I see a substantial divide between those that opt for encryption and those that opt for awareness training. Imho there is nothing wrong with an approach that incorporates both. At the same time I would have to maintain that those that are committed to get their hands on your valuable data probably will find a way.
Talking about that I need to mention that at the moment data theft by employees is considered the largest threat. While this may come as news or at least it is presented as such, it has been my experience that the “insider threat” has always been the most important one. What has changed however is that more of your insiders may have an incentive to actually make the threat into an incident. Anxious about lay-offs or upon actual lay-offs employees may be more tempted to take along your valuable information, either because they are considering setting up shop for themselves or because the competition may be keen to re-employ them, or just because, well, you never know where it may come in handy.