I just wanted to follow up for a moment on my last post about what your staff thinks is important information to the operation of your business. It is not uncommon to find relatively sensitive information lying on the pile of printouts that didn’t get picked up.

Occasionally, things like the head engineer’s CV or a financial proposal on an acquisition may show up in that pile, and who wouldn’t be a little curious to find out some interesting tid-bits? The CV on the printer is not uncommon in any business, and it’s the employee’s personal agenda that is at risk. However, financial proposals or other sensitive information will eventually show up.

If this happens regularly (and you may only hear about it through the grapevine, if you don’t have an Incident Response program), you probably have bigger problems with IT Security throughout the organization that need attention. If this kind of thing is as rare as finding crop circles, that doesn’t mean you’re in great shape. In fact, the less often you have potential incidents, the more important it is that people know what to do when one does happen.

To digress with an example, the Final Report by the US-Canada Power System Outage Task Force, in response to the East Coast blackout in August, 2003, makes many observations on the progress of corrective actions since the blackout (not so much on the incident events, which were detailed in earlier reports). Most recommendations are related to communication processes, emergency procedures and training. As an example, the following is an example of the type of issue they are trying to address:

“…clarify the criteria for identifying critical facilities whose operational status can affect the reliability of neighboring areas, and to improve mechanisms for sharing information about unplanned outages of such facilities in near real-time.”

Your Security Awareness program and training should regularly remind people not only about what kinds of business information need to be protected, but what incidents should be reported, and how. Sensitive papers not locked up, files left in the printer or photocopier room may be more dangerous than one would think at first glance.

In the case of actual malicious activities, most attackers know how to cover their tracks pretty well. But at some point, clues are usually revealed to people doing their daily jobs. If they know to look for odd occurrences, this can lead to much faster responses in limiting damage from breaches. You may not be able to prevent all possible breaches, but you should at least have well understood processes for dealing with them after the fact.