By Mike Semel, Cybersecurity and Compliance Expert
“All Our Data is Stored on Servers.” (It’s Not)
I hear that time and again yet it is never true. We always find legally-protected data including Personally Identifiable Information (PII) and Protected Health Information (PHI), and business-sensitive data like payroll information, hiding on desktops and laptops that often aren’t encrypted. Worse, the users don’t know it is there, and IT believes users are storing data on servers so they don’t look either.
Sometimes IT directors and senior executives are shocked when we show them that data is being stored where they don’t expect it, in Downloads folders, Desktop folders, and even in Recycle bins. During executive briefings, I have had CEO’s ask, “We have policies requiring data to be stored on servers. Why aren’t our people following our policies???!!!”
The simple answer is that data storage isn’t properly automated, users aren’t properly trained, and, worse, the fact you have a policy makes you believe it is being followed, so you never look for evidence of compliance.