We had a great IT security presentation at a medium-sized company I used to work for once, one of those annual "click through all the slides so we know you've read it" things that US companies seem to love.
As I understand it, the material was put together by an outside team of expert security consultants, who came in and audited the company's usual policies and the access requirements for people to do their jobs sensibly.
The executives watched the presentation and concluded that this was great, because now all of their staff would know not to leave CDs with sensitive data lying around on their desks when they went home.
The front-line grunts -- who were mostly geeks, this being a software company -- concluded that more than 98% of the recorded data leakage incidents in this 5,000 person company, and 100% of the serious ones, would have been prevented by (a) refusing to exempt senior/executive management from the corporate IT security policies that applied to all other staff and (b) requiring sales people only to use company laptops with the standard security software installed and maintained by corporate IT when going off-site.
(I'm pretty sure that I really am remembering the statistics here accurately, BTW. Listening to the executives on the conference call after watching the presentation was the kind of bang-head-on-wall moment you don't quickly forget.)
As I understand it, the material was put together by an outside team of expert security consultants, who came in and audited the company's usual policies and the access requirements for people to do their jobs sensibly.
The executives watched the presentation and concluded that this was great, because now all of their staff would know not to leave CDs with sensitive data lying around on their desks when they went home.
The front-line grunts -- who were mostly geeks, this being a software company -- concluded that more than 98% of the recorded data leakage incidents in this 5,000 person company, and 100% of the serious ones, would have been prevented by (a) refusing to exempt senior/executive management from the corporate IT security policies that applied to all other staff and (b) requiring sales people only to use company laptops with the standard security software installed and maintained by corporate IT when going off-site.
(I'm pretty sure that I really am remembering the statistics here accurately, BTW. Listening to the executives on the conference call after watching the presentation was the kind of bang-head-on-wall moment you don't quickly forget.)