In November 2005 a laptop belonging to an employee of the Boeing Corporation was stolen. Among the information on the machine was personal financial data about 161,000 current and former employees of the aerospace giant.
None of the confidential information was encrypted, and therefore the thieves would have been able to read and exploit it easily. Yet this was just one of the two serious failings in Boeing’s IT security procedures that this episode highlighted. The second was not to have immediately owned up to the incident. The company still refuses to reveal the precise timings but has admitted that it was “several days” after the theft before the 161,000 ‘victims’ were officially informed that their personal details were now in the public domain, potentially ready to be used by criminals involved in identity theft.
Companies across the world, have always preferred not to reveal details of IT security breaches. The problem became so bad in the UK that the Metropolitan Police launched a special guarantee under which companies are promised anonymity if they report that their systems have been the target of hackers. Without such a scheme, police were unable to prosecute the hackers because officers were unaware that the incidents had taken place.
It’s easy to understand the dilemma of the targeted organisation. A run-of-the - mill incident might cost a typical bank £250,000 in terms of lost productivity, replacement hardware, or system downtime. Yet if the attack is reported to the police and the suspects subsequently end up in court the whole episode becomes public knowledge, which results in customers losing trust in the bank concerned. At which point the £250,000 becomes totally insignificant. For if a bank loses the trust of its customers,it will lose those customers and revenue.
The nature of the problems that can be incurred is many and varied, ranging from loss of key information, adverse publicity, loss of trust, legal action by customers, and official censure by regulators. All of which can be avoided with a little forethought and a professional attitude to the use of data encryption.
Where once your key information such as customer account data and profitability figures resided on a few desktop PCs in a private office, now the information is spread far and wide. As well as the master copy on the main system, there are often copies (or at least extracts or summaries) in many other computers. Some of which are laptops, which are incredibly easy to lose or steal.
In addition, unscrupulous staff or dishonest visitors can easily copy information from a bank’s main systems to a multitude of external storage devices. These include USB flash drives, digital cameras, MP3 players, mobile phones, or even old-fashioned floppy disks. All of which then become vulnerable if subsequently lost, stolen, or re-copied.
Although Windows provides some encryption with its Encrypting File System, EFS is difficult to manage and impossible to enforce. Turning it off requires just a couple of mouse clicks, and it doesn’t protect areas of the hard disk such as the swap file or other temporary files. Most importantly, if files are copied from a Windows PC to an MP3 player, floppy disk, mobile phone, ftp site or USB drive they invariably lose their encryption, often without the user being aware that this has happened.