IT Security; How Important Is It?
It had been a while since I had touched bases with my old firm and the IT manager that had taken my place some years ago. After several minutes of the usual “catching up” jargon, I hit Jim with the purpose of my phone call. I tried to make it as nonchalant and impersonal a question as I could, but the immediate silence and subsequent sarcastic chuckle denoted the obvious intensity of the inquiry. The question; “Have you been able to get a handle on employee theft of computers, media, and other electronics, and, how has it affected the company year to date?”
I knew from his continued “moment of silence” this had been an ongoing issue from the moment I left the same chair he was now using to respond to my question. To quote his exact words; “It is and has been an immense waste to spend so much time applying security techniques, to spend so much money for security training, and to spend so many man-hours reassuring and explaining, when valuable and supposedly secure data and information is walking out of the backdoor under someone’s arm. The room used to store equipment destined for destruction or “scrubbing” would be better suited as a workout room rather than a staging area. You would think the explicit memos and extensive security postings would be enough for “adults” to understand the impact of what is trying to be accomplished, and, that compromised company data and information not only affects my job but theirs’ as well”.
There was no need to explore his answer in-depth, and his obvious disgust reflected the outlook of hundreds of other IT Managers and Security Mangers across the country. And to think, this was just a small company of fewer than two-hundred fifty employees. What then could we expect from a much larger entity? Of course employees at most any level are not concerned that they may have valuable company data on the pc they found lying in a pile amidst so many others. After all, it’s only one computer that is destined to be destroyed and it certainly it wouldn’t be missed.
Maybe we should blame it on an economy that has made the cost of living increase so sharply that computers and electronics devices are a luxury for many households. Many employees at all economic levels now face economic constraints where they cannot just go buy the latest computer or electronic gadget. Hence, the very foolish decisions to steal, has ultimately led to over $40 billion in losses by small businesses in this country each year.
Needless to say, much larger companies have a much larger problem to resolve. Except for obvious notoriety made through media exposure, most computer crimes are not reported because companies feel that customers, investors, and major management may interpret such events as managerial shortcomings. Rather than by security controls, most clues that reveal most crimes are often by chance, through informants, or errors on the part of the culprit.
Why should this be a big deal you ask? Then allow me to share this example. Just this year in May, a Homeland Security Employee in Tennessee was arrested for stealing and selling two laptops. The laptops had not been “scrubbed” and contained very sensitive Homeland Security data and records. Still feel secure? Fortunately, the individual whom he sold the laptops was an undercover cop already on a stolen goods case. Again, here is a much larger entity that would have had a much larger problem.
As a second case scenario, let’s use the computer technician who worked for the Nutley Board of Education, in Nutley, New Jersey. In June of this year he reportedly stole over ten laptops and two apple desktops, and sold them to local pawnshops in the area. The incident was only discovered when a lady who had purchased one of the laptops saw it had been registered to the Nutley school system and immediately reported it. Though the value of each laptop and desktop was only $1000 each, according to the school system, the information and records yet stored on the computers was far more valuable than its cost.
Not only do we look at the astronomical cost of stolen goods, I’ve also described the next major issue with computer equipment theft. That problem is how profoundly the data and records on stolen computers, if retrieved and placed in the “right” hands, may jeopardize the solvency of a small business. Though there are those who would resolve not to believe, computer theft and data loss continues to increase with serious and costly consequences. Without a more systematic resolution, thefts will continue to rise as long as the black market for cheap computers remains strong, access to computers is easy, and thieves can profit by using or re-selling sensitive or confidential data. While it might not be as easy to search and copy specific files, the theft of the entire computer, hard drive, or some other media type, might ensure a broader range and quantity of data and information.
The issue of data integrity and security seems to be a concept taken by most as a grain of salt. Regardless of the environment, or the security level assessed, even upper level management will not turn down the opportunity to obtain a “free” storage media or electronic device. In a small company such as this one I was a part of, and after conversation with my managerial replacement, it was apparently still hard to hide or disguise security methods such as cameras or motion sensors, and even harder to secure an area designated with more than one purpose and under the jurisdiction of so many others.
In most cases, employees are not trained on how to properly protect proprietary information. Most computers professionals are also too rushed, backlogged, and overwhelmed with their “normal” day to adequately secure proprietary equipment or protected materials. From the user standpoint, most users assume that if a file doesn't show up in a directory or folder, then it must not exist. Few users know how to undelete files or to recover files that have been accidentally deleted. Most computer users, inclusive of experienced users, are unaware that deleted files on these stolen devices can be recovered or undeleted. Deleted files are not erased but rather just hidden, and the data can be easily undeleted and restored.
Though it is unlikely your mother or little brother can undelete your files or seek to "trawl" for interesting data, there are those that could find anything they wanted on your old computer with a few simple tasks. Obviously, this information was deleted for a purpose and often contains highly sensitive business or government records and transactions as well as sensitive emails. As much as we’d like to think so, not everyone has good intentions when a computer is stolen from a pile of “throwaways”. There is certainly no “goodwill” defense for the laptop stolen from the back seat of a locked vehicle. Believe it or not, theft or loss of a computer or data storage medium makes up 54 percent of all identity theft-related data breaches.
Even so, most computer crimes are not committed by hackers, by someone who finds a laptop in a car, or by employees simply seeking a toy they could not otherwise afford. In reality, most equipment and data thefts are committed by trusted employees who turn against their employers for various reasons. There are increased incidents of employees taking proprietary information via equipment theft when they believe they will be, or are, searching for a new job. Some employees steal information via equipment due to what they feel is a lack of respect, incongruity with fellow cohorts or boss, or just career dissatisfaction.
Unfortunately, in this day and time, I would not be honest if I did not include “Divided Loyalty” or allegiance to a different entity or person, or to a different country, as a reason for data and equipment theft. Though it is a reason we’d like to least consider, it is yet a viable concern of both large and small business entities.
As exciting as the technology and capabilities have become over the last couple of decades, computers and the issues that follow it must be addressed as any other issue in our society. Whether environmental or an integral part of daily business, the issue here stretches beyond the scope of idealism, or a moral concept of integrity. It entails educating, planning, implementing, monitoring, and making a difference we can really see.