To be fair: you as a CIO might not, but it looks like your colleagues do. Two examples – from the many that seem to occur daily to back this up. The first is from the private and the second the public sector. And both demonstrate as much commitment to information fidelity as Oliver Reed would if locked up in a school for reforming porn star performers over a Bank Holiday Weekend.
Item one: a survey of 1,026 Londoners in any around the City that found 70% of respondents have clear plans to take something with them upon actually leaving their job, with the most ‘popular’ being their firm’s intellectual property (27%) and customer records (17%). This is arguably justified in their views, it seems, as half claimed to have personal ownership of the data anyway, 59% in the case of those who were about to change jobs and 53% if they knew they were about to be dismissed.
Why do they ‘need’ this data? They think it will be ‘helpful’ in their next role (35% when moving workplace, 17% under the knowledge of being terminated). The vast majority (85%) are already walking around with the stuff – they carry corporate data in their home computers or mobile devices, either customer records (75%) or that intellectual property (27%) they see as ‘theirs’.
It gets worse. Most (72%) admitted to taking out corporate data already – in the form of customer and HR records and their organisation’s marketing material. 54% cheerfully admit to having accessed data outside their explicit role permissions, which seems pretty easy to do if it really is the case that 73% of find existing access control mechanisms around such data are very easy to bypass.
"It seems most employees have no deliberate intention to cause the company any damage but most individuals leaving their jobs suddenly believe that they had rightful ownership to that data just by virtue of their corporate tenure," commented Amichai Shulman, the CTO of the data security firm that carried out the poll, Imperva, on the findings.
Item two: Stoke On Trent Council has just been censured by the ICO for losing the personal details of 40 vulnerable children in care on an unencrypted USB memory stick. The loss happened before the ICO’s powers to levy fines of up to £500,000 on organisations came into effect, but the Commissioner still had occasion to say, "Although there was a legitimate reason for the information being saved on the USB stick, the failure to encrypt it or use a password meant the information, which included court reports and details of care proceedings, was placed at unnecessary risk."
Put the two things together and I think we see a deep indifference to security that warrants two reactions, if you’re a realist (as all effective leaders have to be, surely): a) let sleeping dogs lie and b) start being a cop.
The first is clear enough. Save time and money and stop shutting barn doors. Let the organisation be completely porous. Half the time nothing will happen, right? Plus, you don’t ‘upset’ anyone.
The second is going to make you more unpopular – you might not get a snog at the Xmas do. But if you don’t agree both these stories show crazy bad attitudes on the border between disrespectful and criminally negligent/culpable, then you don’t respect data and it may be time to find another way to make a living, frankly.
Have a think about it. This stuff matters.