In IT and information security, it’s not enough to protect from attack. The IT security writer and thinker Bruce Schneier recently made the point that corporates ought to have an ‘aggressive deletion policy’.
He wrote:
One of the social trends of the computerisation of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we’re saving everything we can about our customers on the remote chance that it might be useful later.
Everything is now digital, and storage is cheap — why not save it all?
Sony [the December 2014 affair of the hack arising from their film about North Korea, The Interview] illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.
Saving data, especially e-mail and informal chats, is a liability.
It’s also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.
For Schneier’s essay in full visit –
