Recently, IBM became the biggest name to prevent employees from using portable storage devices. This certainly won’t be the last measure taken to enhance security within the enterprise – especially as we approach the end of the month – but it’s a good first step.
As IT professionals know, preventing end-user action is usually a last resort. Ask anyone who uses access-prevention software or folks who have disabled PSTs in the past – the first few months are chalk-full of employee frustration and over-flowing Helpbox emails.
While disabling thumb drives may seem like a stark measure at first glance, put yourself in the shoes of an employee. Would this policy prevent you from uploading content (sensitive or otherwise) to personal cloud storage? That’s hard to stop, so probably not. Are you restricted from sending attachments to a personal email address, then doing as you please with them? The best DLP systems don’t always prevent content to personal aliases, so you’re probably okay on that, too.
It wouldn’t take an employee long to bypass this measure—what’d the over/under be for time? 5 seconds? 3 seconds? Either way, I’d bet the under.
This speaks to a larger issue within content management strategy: Big Data governance is a complicated endeavor, so too many enterprises shy away from full, proactive governance. Instead, they build external controls that eventually get outgrown.
To better demonstrate the issue, let’s look at this outside-in approach in another field: Imagine your favorite football team gives up the most sacks in the NFL for a season. Then they try to address the problem in the offseason by using their entire salary cap to sign the best quarterback and wide receivers in free agency. Great players, but not gonna help. Maybe the new quarterback gets the ball out of his hand a little faster, maybe the receivers catch a few more balls over the course of a season, but you won’t win many more games without getting much better protectors. The problem’s being ‘solved’ at the wrong point.
For the non-football fans reading this, I’ll put it this way: It all comes back to controlling your data by knowing your data. It feels like an easy concept to understand but, for whatever reason, enterprises choose to stop the leak with sandbags at their doors instead of by addressing the massive crack in the pipe.
For years, records and legal professionals have struggled to articulate the importance of really knowing their data. When their enterprise outgrows an ECM system, they throw more instances of that system at the problem to tame it… for a bit. When they need to classify content more granularly, they train end-users again, and again, and again. When the Legal Hold software can’t scale, they trust custodians will care about preservation as much as lawyers do then burden those employees with notifications and required action.
IBM’s New Rule
IBM’s decision to prohibit USBs and other external storage devices tells us times are changing. If this leaves you asking ‘why now?’, you’re not alone. To me, the answer is simple: money, baby! Failing to comply with GDPR can lead to penalties of up to four percent of annual revenue, so it’s begun to get much easier to convince senior leadership to pay attention to how organizational data is being handled.
IBM released this statement: “We regularly review and enhance our security standards and practices to protect both IBM and our clients in an increasingly complex threat environment.” As such, we can assume the recent rule will be one of a few different plays to increase organizational governance and security. To comply with the stringent new regulation, it better be.
But, for now, this (highly publicized) move gives IBM something to point to if they find themselves in trouble. “We tried!”
An Industry in Transition
Instead of inching towards Information Governance at scale, we’re finally taking real steps toward it. But given the complexity of the challenge, we’re still a few leaps away.
Implementing the necessary policies, training, and software will be a big undertaking. It will require a shift in perspective on how data is used at every step of the process, and it will undoubtedly be expensive. But with GDPR, it will (finally) be way more expensive to ignore it.
Things are about to get interesting, and I’m looking forward to it.