Rethinking stored document encryption: Part 1
So lets start thinking about the basic requirements for confidentiality in the workplace. In particular let us consider the principal causes of unintended disclosure:
- Failure to delete data stored on decommissioned drives
- Lost or stolen USB drives
- Lost or stolen laptops
- Compromised machines
- Unintended disclosure through email forwarding
- Malicious employees
We have no means of accurately evaluating the relative importance of these factors in actual attacks. While conventional wisdom holds that '60%' of all attacks come from within the enterprise the evidence for this claim appears to be anecdotal and is almost certainly out of date in any case.
Now that Internet crime is professional, the traditional approach to risk evaluation must be abandonded. It no longer makes sense to ask what the 'probability of loss' will be. The probability of loss will be close to one if an attacker realizes a means of making a profit from an attack and close to zero otherwise.
As the adverts say: past results are no guarantee of future performance. The rate of loss from any given cause is going to depend on the ability of an attacker to make a profit. This argues for the external threat facilitated by internal negligence being the primary concern as that is the type of attack that the professional crime rings are going to invest their research dollars in facilitating.
We conclude therefore that intentional malpractice by employees is certainly a cause of unintentional disclosure, it is not the only cause and almost certainly not the most serious cause. Any employee can be careless but only a small number are actually corrupt.
And regardless of whether intentional disclosure is the most serious cause or not, it is certainly a substantial cause that deserves attention in its own right regardless of whether the much harder problem of dealling with the malicious employee is to be addressed.
