Don’t think that Data Leak Prevention technology will stop data leaks

I pointed out before that data leak prevention is impossible. There are just too many ways for a determined data thief to walk out the door with your most sensitive information.

MI5 the supposedly super secret branch of the UK government has had its data protection failings this past week. If you are a fan of le Carre’s Smiley you are familiar with the data leak prevention system in place at MI5 for safe guarding critical files. (A “file” in the context of secret agencies is a folder containing information printed on tree pulp. I know, crazy in this day and age that anyone still uses those but that is the way it is.) Anyway, there is a well guarded vault full of these “files” and various people with a need to know check them out and read them at their desk. They must return them to the vault and only under extraordinary circumstances are they allowed to be carried out of the building in a special satchel called a brief case. (Not available at Timbuk2).

$1,000 brief case

This past Tuesday two reports on Al Qaida’s strengths and weaknesses were left on a commuter train.

The documents were left on the train by “a highly placed member of the Joint Intelligence Committee's assessment staff…The fear is that the documents, which also revealed the names of senior MI5 and MI6 officers, may have remained on the train for some time and been read by other people or even copied using a mobile phone camera.

Worse, whoever found them turned them over to the BBC who read them.

And then, on Wednesday

Secret government documents detailing the UK's policies towards fighting global terrorist funding, drugs trafficking and money laundering have been found on a London-bound train and handed to 'The Independent on Sunday'.

The government papers, left on a train destined for Waterloo station, on Wednesday, contain criticism of countries such as …The confidential files outline how the trade and banking systems can be manipulated to finance illicit weapons of mass destruction in Iran. They spell out methods to fund terrorists, and address the potential fraud of commercial websites and international internet payment systems.

With all those paper documents being used to run the intelligence service of England it is surprising there are not more incidents like this. Am I recommending more use of electronic documents? Definitely not, they will just fall into the hands of the Chinese.

All I am saying is that no leak prevention solution will stop leaks. You can curtail the wholesale loss of data though email, and file transfers, but you will not stop executives from leaving printed documents in taxi cabs or airplanes. In the meantime I am sure with a little tightening up MI5 will get their house in order, setting aside connections to Nazi sex orgies for now.

Can anyone suggest best practices for controlling printed documents? Leave a comment, I will summarize in a posting.


Follow Stiennon in Twitter


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022