I don’t know if you caught the news report about Northrop Grumman back in late June. Basically, journalists for Frontline were doing a story about how all of our electronic waste ends up in dumps in the 3rd world. They stumbled upon a completely different story when one of the hard drives they bought at a market in Ghana contained hundreds of documents about government contracts that Northrop Grumman was engaged in. According to the news reports, the documents contained information about recruiting airport screeners and implementing data security. The drive itself was apparently given to an outside vendor who was supposed to have safely disposed of the computer. According to a statement released by the company, they believe the hard drive may have been stolen from their asset-disposal vendor. But what I found really interesting in their statement was that they felt that “despite sophisticated safeguards, no company can inoculate itself completely against crime” and that “the fact that this information is outside our control is disconcerting.”
But the truth is that if they were really serious about data security and keeping sensitive information confidential, they could have easily enforced a policy of encrypting the data on the hard drive. Then the “loss” of the hard drive wouldn’t have been an issue, and they would have always had complete control of their information. Hopefully somebody in the company’s information security department is thinking the same thing to themselves right now so that we don’t have to hear about them in the news next year. And maybe somebody in your company’s information security department is thinking about this issue too. If not, maybe they should be?