Security Breach Brings Opportunity for Improvement

Ralph DeFrangesco

Americans are very reactive people. We wait for something bad to happen and then we throw everything we have at it to fix it, until the next thing happens and the cycle continues. CIO.com recently published an article that hits all too close to home. The article describes a company that has gone through a reduction in force and is moving the remainder of employees to its headquarters. It hired a moving company to help with the move; as they were moving equipment out of the building, someone was sneaking in an unsecured door and stealing laptops, 25 of them. If it were not for a sharp employee who saw what was happening, the thief would have made off with more. The company used this unfortunate incident as an opportunity to increase security. First, it implemented full-disk encryption, something it had always wanted to do but just never got around to. Second, it pushed a policy that locked its systems after a certain period of time so users had to log back in after inactivity. Finally, it issued laptop locks to physically secure its systems.

 

Early in my career, I worked for a wire harness manufacturer, managing its CAD/CAM system. I got a call one Saturday morning asking what I did with the system. It was my boss and he was not joking. He told me that some employees came into work early to catch up on work, but there was no CAD/CAM system to be found. I drove into work and, sure enough, the system was gone. It took that incident for the company to realize the value of a security system. One was put in shortly afterward.

 

A few years ago, I worked for a large health care company. Most of us were issued laptops so we could work from home or remote locations. One day, laptops started to disappear from our desks. It's a funny feeling getting up for a cup of coffee and coming back to your desk, only to find that your laptop is gone. You feel like something personal was taken from you. To address the problem, the company issued laptop cables, but it took roughly 20 to disappear until they did anything about it. IT Business Edge's Carl Weinschenk feels that education is the key to slowing laptop theft, and I couldn't agree more.

 

There are companies that have developed ways to combat laptop theft. One option, for example, is a product from Asus that can send a poison pill to a stolen laptop to render it useless.

 

I have many stories I could share. The common theme is that these companies waited until there was a loss to bother to do anything about their risks. There was never a risk assessment performed that might have uncovered weaknesses and allowed them to prevent breaches before they happened.


 

Do you have a similar story to tell?



Add Comment      Leave a comment on this blog post
Sep 24, 2009 4:33 AM b allen b allen  says:

Ask any security professional and they will tell you similar stories.  Part of the problem is that security is not seen as part of doing business.  It is perceived as an unnecessary cost, and often only in the breach is its worth proved, as you note in your article.  No surprises there. 

Unfortunately, when security is applied retrospectively it is very expensive, and this very expense is remembered and feeds into the perception that security is an expensive item, and may be prohibitive to some projects.  If it is going to be done at all, it will be done as cheaply as possible rather than as effectively as possible, which can then make the security fail to be effective and so it becomes an unnecessary cost, and we start the cycle again. 

Regularly hearing about security being on the agenda for boards and chief execs, I have to wonder how true it is.  These sorts of stories are regularly in the news, so why, if it is on the board agenda, is it so hard to secure funding for security projects that will be effective, and so hard to get security included in projects from the outset rather than after they have gone live and there is a problem?  Or is middle management filtering out what is coming down from on high and doing their own thing?  If it is a priority for the chief exec it should be a priority for those in the chain below.

Reply
Sep 26, 2009 1:07 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to b allen

Bev,

Your insight is spot on. Thank you for your post.

-Ralph

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.