More Sensitive Data Lost
Business At The Speed Of Stupid.
Another major corporation, this time the multi-billion dollar Boeing, has hemorrhaged confidential data. A laptop holding personal information including social security numbers, home addresses, phone numbers, and birth dates of more than 300,000 active and retired employees was stolen. The machine was taken when the employee responsible for it left it unattended.
Here’s the fun part: This was the third time this has happened to Boeing in the past year.
We don’t know if Boeing offers its employees any security training when it comes to handling sensitive data, but it obviously should. It should also enforce strict policies about what kind of data can be stored on personal machines. Is there any valid reason an employee should be walking around with this kind of information?
If it is necessary to have sensitive data on easily pilfered computers, there are a number of ways it can be secured. SecureDoc Disk Encryption (http://www.winmagic.com) is one option. Another is Entrust Entelligence (http://www.entrust.com). To secure individual files, PGP (http://www.pgp.com) and GNUPG (http://www.gnupg.org) are excellent options.
However, supplying security systems and training employees to use them is one thing. Actually making them use them is another. Even with all of the media attention given to identity theft, corporate users still write their passwords on sticky-notes stuck to their monitors, or use easily-guessed passwords like their kid’s or pet’s names, the type of car they drive, or their own birthdays.
There are systems that have the option of enforcing password complexity and aging rules, so that your password must be at least so many characters, consist of mixed-case letters and numbers, be changed on a regular basis, and not be reused. And what happens when companies turn on these systems? Users whine that they’re too difficult or inconvenient to use.
Another option involves employing a hardware component, like the SecurID token from RSA (http://www.rsasecurity.com). Users need only remember a simple PIN, which they combine with a changing number on the token. The number is calculated through a complex algorithm and the combination must match that on the server. Of course, nothing prevents the user from writing their PIN on the back of the token, and then losing the token, or letting it be stolen along with their computer.
How about biometrics? Users must supply either a finger print, voice scan, or retinal scan before being granted access to a system. Urine analysis is another option, but peeing into a cup on the side of the keyboard could get messy. Still, anyone who’s watched a Bond movie, Mission Impossible, or an episode of 24 knows there are ways around even this. Need someone’s fingerprint? Nothing says their finger has to be connected to their body for it to work. The same goes for retinal scans. And a good quality digital audio recorder should be able to trick most voice recognition systems.
When you come down to it, the only sure defense against losing data on notebooks to thieves, is not putting the data on the notebook in the first place.