Trust But Verify

Wayne Rash

Trust takes a lot of forms. Perhaps you trust your employer to pay you on time, or your customers to honor their commitments, or perhaps you trust your government to do the right thing by you (assuming you live in a fantasy world). One area of trust that's critical to business is to trust your employees to follow the rules, serve the needs of the company, and not break the law on company time.

Sometimes that trust is abused. In fact, breaches of trust by employees are hardly new. The well-publicized data theft by employees of T-Mobile UK is only the most recent example. There, employees were selling customer contact information and contract termination dates to competitors. In Europe, this is illegal, and the employees will probably suffer the consequences. But the only thing that makes this particular theft unusual is that it happened to a wireless company in the UK. Similar breaches of trust have happened in other venues, at the Department of Veterans Affairs, for example.

Insiders have been doing stupid, sometimes illegal things with information entrusted to them as long as there have been insiders. Information technology only makes it easier to steal or lose larger amounts of information, and to do it more quickly. But in the long run, theft is theft, and it's been that way for all of human history.

So the issue isn't the fact that this particular data loss happened to T-Mobile (which has had its share of Bad Things lately), but rather that it points out the need to find ways to encourage employees to be trustworthy, and to use the words of The Gipper (former President Ronald Reagan), to verify.

One of the benefits of the compliance rules in the U.S. is that access to personally identifiable information such as that stolen in the UK incident, must be strictly controlled. In addition, you must be able to prove that you've restricted access, and you must be able to prove that you can follow every access attempt and trace it back to the person that did it. To do this properly, you must also have the ability to find out quickly when unauthorized access is taking place.

Such incidents are the reason the various regulatory and industry rules about access to information and the use of such information exist. There have been enough boneheaded data losses in the U.S. that even the Congress was able to take notice and make some rules for some industries.

But having compliance rules is just one part of the equation. Just being able to be audited is only one more part. The central key to success in keeping your customers' data safe is to institute controls that don't depend strictly on trust, but also allow you to verify that this trust is justified.

The best means of accomplishing this is to design your IT operations to be secure in the first place. The second is to institute good management controls so that you know who is doing what with your critical data. And the third is to find ways to minimize losses, for example by making it so that it's difficult for one employee to access more about a customer than is required to perform their job.

Trust also comes into play when figuring out what to do about creating an environment where you can trust but also verify. You need to find help that can demonstrate a solid track record in dealing with the kind of information you need to keep safe. But beware-there are companies out there that will pretend to be more trustworthy than they deserve.

One such company came to me about this data theft offering to provide an executive with expert opinions. But this company actually sells a service that is supposed to prevent events like the data lost at T-Mobile UK. In other words, they were presenting themselves as independent experts when the real motive was far more self serving.

The real lesson from this is that Ronald Reagan's admonishment to 'Trust but Verify' is still very good advice. But you need to do this with more than just your employees. You also need to be able to trust those who would presume to help you not to also help themselves in the process.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.