Everyone has heard the saying “Rules are meant to be broken”. Everyone has free will, he or she can choose. Take the example, you are driving down a road and you see a sign saying 40MPH limit. If you choose you can do 60MPH or 39MPH. Nothing is physically stopping you unless there is a police car behind or bad traffic. You may get a speeding ticket or fine but at the exact time very little stops you. Cars today do not automatically shut off if you exceed the limit.

You are probably wondering, what has this got to do with data? Well, give someone a choice and they may not obey your policy saying encrypt CD’s or DVD’s. Hey pesto, a lost CD, loss of customers, bad media coverage and fines. A policy can state encryption on all removable media but what stops staff not following this? Staff can be the weakest link in any company. A good example is the recent case of a Canadian bank (Scotiabank) loosing unencrypted CD’s in June 2011. “The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information to the agency. The bank has strict processes and procedures in place to protect customer privacy and confidentiality, the statement added.” Fantastic, they have strict procedures but did it stop this happening no?

What can we learn from Scotiabank and many others? Policies and procedures are a waste of time unless they are truly enforced. Not by people spot checking but a system enforcing the policy. A great system would force encryption on data transferred to removable media and not allow unencrypted data to leave the network. Data leaks will not stop till policies are enforced physically not by old fashioned policy documents.