Archive for June, 2009

Catch a Thief or Secure Your Data?

June 20th, 2009

Computer theft is becoming more of an issue every day.   Laptops are getting smaller – which makes them easier to forget and easier for somebody to steal.  Laptops are being used in more places – restaurants, coffee shops, libraries, airports which means more opportunities for theft.  At the same time more and more anti-theft tools are becoming available for laptops.  However, as a business you need to what’s more important -  the laptop or the contents of the laptop.

The reality is that most everybody wants to be the detective who solves the case.  Look at the number of TV shows about detectives.  Look at the number of mystery novels.  The intrigue of solving a crime captures the imagination of many people.  Playing off of this aspect of human nature, there are more and more tools that are designed to help you catch a laptop thief and recover the laptop.

Consider Prey which advertises that  it “helps you find your stolen laptop by sending timed reports to your email with a bunch of information of its whereabouts.”  I should not even really use the world “advertise” because Prey is a free product.  Prey is open source and available for Windows, Mac, and Linux. All they ask is that “if you ever recover your computer by using Prey you buy us a round o’ beer.” So adding Prey to your data protection plan is as inexpensive as it gets.

But for a business there are so many flaws in this “detective” approach.

The report that Prey sends you includes the general status of the computer, a list of running programs and active connections, fully-detailed network and WiFi information, a screenshot of the running desktop and — in case your laptop has an integrated webcam — a picture of the thief.  Now all this data is cool and could potentially help solve a crime and recover your laptop.

But wait, the report tells you the list of running programs which means somebody is accessing all your programs.  Which means somebody could already be pretending to be one of your employees.  Somebody could have already accessed data on this computer.

Plus Prey only works if it can access an Internet connection so that means that the criminal has already connected the PC to the Internet and could be uploading, copying and even sharing your data.  In the extreme case of actually catching a thief using the laptop and using the data – the Prey report could actually be used as evidence of a data breach and be used as evidence against your company by somebody suing for damages.  In the worst case scenario, the data might not help you catch the crook and it is then used in court against you – a wonderful lose-lose scenario.

There are a myriad of products like Prey on the market or getting ready to enter the marketplace.  They are good products – we don’t intend to criticize their quality. The question you need to ask is – “What matters the most to your company – the laptop or the data on the laptop.”  If you truly have no data that requires security/privacy than Prey and it’s counterparts could be an awesome addition to your security plan.  However, if the data on the laptop is more important than the laptop than you should be exploring options like data encryption that ensure that the data on the laptop is secure and cannot be accessed by a thief.

Catching a thief, and even catching a thief on a webcam is far more exciting than protecting data – but given the potential economics of a lost laptop it is probably far less important for most IT managers.

No comments »

Posted in Data Protection

Tags:

Data Loss is the Other Guy’s Problem

June 15th, 2009

Except for the very paranoid, one of the main reasons why companies don’t take steps to better secure their data and their PCs is that they never think that their company will be affected by the issue.  The next company is a bigger target.  That other company has a bigger risk.  They have already invested enough in security measures.

To test that theory, I took a look at the Data Loss Database managed by the The Open Security Foundation (OSF).  Every day, their project curators and volunteers scour news feeds, blogs, and other websites looking for data breaches, new and old. We search for incidents that need to be updated, or incidents that are not yet in the database.  So while they collect data – clearly they do not have the ability or bandwidth to locate information on all data breaches.  Their reports clearly are undercounting the nature of this issue.

However, it is a great sample to illustrate the breadth of the data security issue.  Lets look at the 20 reported incidents from May 2009.  What companies were impacted?  What types of companies were impacted?

  1. Information Company
  2. Community College
  3. Not-for-profit religious organization
  4. Government Agency
  5. Hospital
  6. University
  7. Government Agency
  8. Government Agency
  9. Car dealership
  10. Government Agency
  11. Government Agency
  12. Health Insurance Company
  13. School
  14. Financial Institution
  15. Union
  16. Financial Business
  17. Electronics Manufacturer
  18. Internet Store
  19. School
  20. Insurance Company

Sure Government agencies and Insurance companies are high on the list.  But a car dealership has driver’s license information, home addresses and financial data.  A Union has customers – all it’s members and they have addresses, social security numbers and more.  A not for profit – clearly not an organization with deep pockets for technology – but encryption is affordable compared to the potential losses.

If you have computers and you have consumer customers – you have the risk of having information breached.  You may think this is a problem for “some other company” but the reality is that it is an issue for every company.  We’re just showing the industry – but the actual company names are available on the Open Security Foundation database. Consider the low cost of data encryption versus being on the above list.

1 comment »

Posted in Data Protection, Encryption

Tags:

Stolen Laptop – Who do you tell?

June 11th, 2009

When an Information Technology manager is notified of a lost or stolen PC the first things that they worry about are replacing the laptop, changing the passwords, turning off accounts – all the fun details.  But, what many IT managers don’t realize is that there may be legal requirements for their company to actually report this event if the computer (laptop or desktop) opens up a potential security hole to the network.

Over 40 US states have breach notification laws and each state law varies (and other countries have laws pending).  Trying to get a handle on them could be a full time job in itself and many of the decisions require legal determinations “what is reasonable risk” that go far beyond the role of Information Technology alone.

  • Was there consumer data on the PC? For the most part these laws only apply to the loss or potential loss of consumer data – so that does eliminate many IT departments from this risk.
  • Was the data encrypted? California, which has the toughest laws, allows exemptions for encrypted data that’s lost.
  • How much data was exposed? In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.  So the potential loss of unencrypted data on one customer is a reportable incident in California, but may not be in other states.
  • What type of data was exposed - Some laws specifically mention financial data, others have been expanded to include  compromised medical and health insurance information.
  • How likely is it that data was exposed? Was there a chance of a breach or was there actually a breach?  What harm could come from the breach? California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, such as Delaware, Arkansas and Florida require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm.

Highlighting California’s tough laws, the California State Senate has approved a new law requiring companies to provide victims of a data breach with additional information. The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

The fact that California, with these tough laws, respects the work companies do to encrypt the data should be a compelling reason for Information Technology shops to explore encryption.  In fact more than 25 states have now enacted this same exemption for encrypted personal data.  That means encryption at all levels where access is possible.  Having the data on the server encrypted is valuable – but if you have a stolen PC with access to the unencrypted data then you still have that security risk.

The bottom line is that if your company is dealing with consumer data – you are liable to a wide range of repercussions if you don’t report potential breaches of the data.  Just one of many reasons why Information Technology managers the world over are investing in data and drive encryption.

1 comment »

Posted in Data Protection, Lawsuits and settlements

Tags: