In a related article to the VA data-theft, the reporter discusses the need for better data security. According to the article, IT departments are typically concerned with protecting the infrastructure, not the data.
I would argue that protecting the infrastructure is part of protecting the data. But I agree that protecting the infrastructure isn’t enough.
In the almost 15 years (gasp!) since I left the Air Force, every job I’ve had has been somehow related to computers, although I’ve usually worked as a trainer rather than as a consultant. Since 1998, every job I’ve had has provided me with a company laptop to make my life easier as a road-warrior. Reflecting on those jobs with laptops, I realize that my various jobs weren’t all that security-aware, either.
The 1998-1999 job was with a gov’t contractor, implementing network security on Air Force bases worldwide. Those laptops had no encryption or authentication beyond the basic “log into it when it boots up” process. I want to say those laptops had data with little or no value, but OPSEC taught me that little pieces can be part of the overall puzzle, and even little pieces shouldn’t be compromised. We carried the plans/processes/IP addresses/backup copies of configurations on our laptops and never worried much about it (and I worked with security geeks who worried about everything). BUT we paid close attention to the physical security of our laptops, and were mildly paranoid at all times. Looking back, I realize I can only speak for myself and my own laptop – I have no idea if the security geeks incorporated greater security on their own laptops, but there was no company policy regarding such. Logging onto the company intranet was a simple process, with basic username/password, if my memory can be trusted. Was the infrastructure secure? Couldn’t really tell you. My memory’s gotten too hazy.
The 2000-2003 job was with a large commercial entity, once the darling of the stock market, then a laughingstock (to the disgust of all those who held or are still holding their almost worthless stock). That laptop held network monitoring tools, copies of course materials and powerpoint presentations, and copies of site-visit reports. Nothing earth-shattering or particularly valuable, but we had a little thingy we carried that we used to login to the company network. I’ve forgotten the correct term for the little thingy, but it provided a constantly changing password, which was tied to our user id. However, this little thingy was only used for logging into the corporate network – we didn’t need it to access our laptop. The infrastructure was secure – our laptops? Not so much.
Early 2003 to late 2004 was a period without company laptops, as I was without a company. But Jan 2005 brought me a new job, and in late Feb, my company laptop arrived. This company has different passwords for everything on the company intranet, and they change at different times (and have different criteria for acceptable passwords, to keep it interesting for us). This includes having to regularly change the password to log into our laptops. So far, just like everyone else, more or less. Again, the infrastructure was secure, but the laptops – not so much.
But then, sometime last summer, they came out with a new policy. Laptop hard drives were to be encrypted, and a password is required to boot the laptop. It’s kind of annoying, from an end-user’s point of view, and makes the laptop take longer to boot up, but it gives me a certain piece of mind, knowing that there’s at least an attempt to secure the data on our machines – machines which are routinely carried through airports and into client sites (some of our folks travel 100% of the time; others, like me, were told the job entailed 50% travel, so we only travel 70-80% of the time).
Bear in mind that all the jobs I’ve described here involved lots of travel. The 1998-99 job was 100% travel, the 1999-2003 job was about 75% travel, until the last year when I was stationed at a client site full-time, and the current job is officially 50% travel. I don’t think the VA jobs have that much travel built into their job descriptions. But the data on the VA computers is infinitely more important than most of what I’ve had on my company laptops.
Enforcing a rule that says “don’t take data home” is hard to do, especially in this age of “do more with less,” which means less people are handling the same amount of work, and telecommuting.
So it behooves the companies, whether they are commercial companies or gov’t agencies, to build in protections. Store the data on the company server, not the employee laptop. Make the employee network in via a VPN, if they’re working from home. Provide the employees with the “little thingy” that changes the approved password every 90-120 seconds. Encrypt the laptop harddrives, for cryin’ out loud, to build at least that minor level of protection into the process. Use biometrics, if needed, for stronger security.
Or, if you truly don’t want employees to take data home, DON’T GIVE THEM LAPTOPS at all, and create a script that prevents them from saving data to anything other than a network drive.
And yes, as the article says, if you HAVE rules against taking data home, ENFORCE the rules. If a supervisor overrides the rules, as happened at the VA, fire the supervisor. If an employee disregards the rules, fire the employee. Make it a fire-able offense to compromise data.
Whatever you do, DO IT RIGHT. Don’t purchase your security from the lowest bidder. Purchase it based on who has the strongest security. Don’t base your security policies on the convenience of the user – base it on the importance of the data.
And for those of you reading this who think it doesn’t apply to you – how secure is your home network? Have you at least enabled the minimum wireless encryption? Or do you let the entire neighborhood use your wireless network (and your internet connection) for free? Oh, and when was the last time you changed all the passwords you use online (or the one password you use everywhere online)?