A recent data breach came to my attention, and while I normally criticize companies that cause these information security incidents, I cannot honestly bring myself to do that when it comes to Coca-Cola’s situation. It’s one of those grey areas where you have to give the company the benefit of the doubt. Even if they were caught with a laptop that wasn’t secured with strong encryption software.
The reason why I’m equivocal in joining other security experts in denouncing Coca-Cola’s mishap lies in the following:
Coke spokeswoman Ann Moore said the laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment. [wsj.com]
This is one of the hardest situations a company can protect against. It involves (1) an insider, (2) intent (to steal), and (3) equipment end-of-life.
The problem with insiders is that, well, you have to trust them on some level. A company can’t treat all of their employees like criminals that need to be observed around the clock. If it did, productivity would plummet, costs would rise, operating margins would crash, turnover would soar, people would be unhappy… You need some controls, yes, but at the end of the day, it’s mostly trust that you rely on.
The problem with intent to steal is that, well, you generally can’t stop people who want to get their hands on something. I mean, really want to get their hands on it. Plus, when your target happens to be an everyday good, there aren’t significant barriers to someone looking to steal it. You just have to bid your time.
The problem with end-of-life equipment is that nobody really cares about such hardware. It just gets locked up – if even that – and the only person who really pays any attention to it is the guy charged with disposing of it. Combine it with the insider problem, and you’ve got a recipe for disaster.
Which is why I have a problem blaming Coca-Cola for the data breach. Yes, the machines were not protected with encryption software. And, it appears that perhaps the laptops were unencrypted from start to finish, which is inexcusable…but understandable. (AlertBoot was built from the ground up with an integrated reporting engine, which is one way around the problem of security lapses. But, other FDE solutions may have added the reporting and monitoring aspect as an afterthought, leading to a less robust monitoring module).
But even if the machines had been encrypted at the beginning of their life as a Coca-Cola asset, would they have still been encrypted once they were tagged as having reached end-of-life?
In my experience, here’s what generally happens: a company purchases encryption licenses, which can be expensive. They encrypt a laptop computer so they can be in compliance with any laws and regulations. The laptop is used, and if everything goes well (i.e., doesn’t go missing), the laptop is replaced a number of years later with a newer model. The old laptop is prepared for disposal, meaning that the machine is decrypted in order to retrieve the expensive encryption license, which is used to encrypt the new laptop.
How does this help prevent laptop thefts by trusted employees who work in the equipment disposal department? Generally, it doesn’t.
(One way to get around this problem is to use something like AlertBoot’s full disk encryption. You can activate the data wipe and ask us to retrieve the license. This ensures that the laptop remains encrypted and inaccessible, and you get to keep you license, too).
Security is a Process
While the wsj.com notes that Coca-Cola wouldn’t provide details on how they figured out who had taken the laptops – or how they had realized that the laptops were missing at all – it doesn’t take a genius to figure out what happened.
At the end of the day, under such situations, the only way to prevent (or recuperate from) a data breach is to keep an accurate log of the equipment and its parts, and perform a physical audit until the equipment is actually disposed of.
Coca-Cola was able to figure out that hardware meant for disposal was in fact stolen; this is evidence that the company has pretty sophisticated computer security policies in place.
What they are guilty of, it appears, is that they don’t have perfect security. Not many companies have that, though.
Related Articles and Sites: