somouk – nail —> head. We are pretty slack, relying on people ‘not to be stupid’, but a prevalence of pen drives, drop-box, anonymous ftp, etc means that this isn’t much of a policy. When the director who raised this has no idea of the issues, what might be involved and the implications, and in the same breath says ‘don’t make it complex’ you have some handle on how much of a headache this will be.
scuttler – it’s not so much losing our data, but the implications of us losing confidential multinational data to one of their competitors that I worry about. The conversation would very quickly make us look like idiots (Them: ‘Show me your data security policy’, Us: ‘ Show you our what now?’)
Also, there is the issue that I’m not sure we have the skills to identify what the risk levels are for a particular medium (i.e. – how much of a risk is Dropbox, or Google Drive?) and not missing any obvious points of attack/data loss….. hence a free toolkit or template would be a handy starting point. I accept that a lot of this experience is hard won, so it may simply be a case of ‘getting someone in’ for advice.