I spy with my little eye…
I came across a very interesting post by Peter Cochrane that should send shivers down the spine of anybody reading it. And if you are a security professional, I’d recommend grabbing the chair closest to you.
It reads like the script of a 1960s comedy spy movie but to anyone working in security and responsible for an organization’s data it is a very realistic account of how security is being breached on a daily basis and why data loss and identity theft are on the rise.
People are the weakest link; we’ve known that for years, and while employees were confined to their desk and IT administrators could control what they were doing, the risks were minimal.
Yet the minute organizations set their employees free to roam with their laptops, PDAs, smartphones, memory sticks and the whole range of mobile devices (or running around with the latest Apple iPhone prototype), they said goodbye to security and their data .
Your reply to that may be, “but now we’re hardening devices and using encryption”.
Great, but not so great when your employees are on a train and blabbing to each other about the company’s business plans, using commercial wi-fi to access the corporate network and taking their time to type in their username and password.
Either they don’t give two hoots if someone is listening to them or looking over their shoulder or their concept of security is simply turning the key in a door lock before leaving the house.
How many times have you been sitting next to someone on a plane or train and with a few furtive glances have managed to go through the spreadsheet on his laptop or the presentation she’s reading? Some people are more careful than others but I believe that the people mentioned in Peter Cochrane’s blog are representative of a growing security problem.
About the Author: David Kelleher
David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.
While your concern is well founded, is there any difference between peeking at someone’s laptop screen and glancing at a printout of a spreadsheet they’re reading while sitting next to them on a train or plane? As you said, employees are a weak link in security, but they were that way before mobile technology. I think we may lose sight of that too often and lay the blame on technologies we can’t exercise as tight control over as those bound to the office.
Hi John
Valid point, although I think that the quality and volume of data being exposed is much greater too. You can read parts of a spreadsheet on a plane or train, but you are somewhat limited to the information therein. However, if you’re attentive enough to follow the keystrokes when they are inputing their username/password, the level of risk has increased exponentially. I also think that more people, thanks to technology, are mobile and work on the road today than before. But I do agree that we should not always blame the technology.
In that case, I guess employee monitoring goes both ways. You create stricter monitoring policies to keep an eye on your staff inside the office, and yet give them the freedom (or the responsibility) to work outside of it.
From a managerial stand point, people are the weakest link. But now I’m wondering if awareness would be a simpler solution to these concerns. You can invest in encryption, certainly, but it might also help to simply conduct a (maybe in a half a day) seminar outlining to your staff the dos and don’ts of working outside the office. We may be the weakest link, but we might also be the cheapest (not easiest) to fix.
I decided to follow the link to Peter Cochrane’s blog. It’s quite a disturbing read indeed, and at the same time quite ridiculous. Half of me wanted to have those three get what they deserved, but then again, I realized I’ve been a culprit of some of those mistakes as well.
When you’re on the clock to meet about sensitive information in a public space, sometimes you just rationalize that no one around you either cares or is in the same industry as you. We try to use codenames (I’m serious) to talk about confidential info, but sometimes, it’s just so tasking to remember those things we end up letting it all out to speed the meetings up.