Does it make sense to use computer encryption software on desktop computers? Or laptop computers that are never taken out of locked facilities? The answer is a resounding “yes” for both as the below story involving the Greenleaf Book Group shows.
Janitor Steals Computers
Within the data breach community, there is a type of data breach known as “insider attacks.” These are situations where the attack happens within an organization’s supposed security perimeter, as opposed to attempts to hack into a network or company laptops being lost at the airport.
Insider attacks are largely attributed to employees who are dissatisfied with their employer (as in this story where a Microsoft employee – now ex-employee – was charged with leaking trade secrets). However, the label can be applied to any instances where a data breach is caused by somebody who had the right to be within the security perimeter, even if they are not a proper employee. Janitors, for example, who are contracted to provide their services.
In Greenleaf Book Group’s case, a letter filed with the Maryland AG Office relates how the publisher became a victim of an insider data breach when a janitor stole five desktop and laptop computers. The computers were “password protected (but unencrypted)” and had files and emails that included names, credit card information, email addresses, and (in some cases) a mailing address.
They admit to a total of 6 Maryland residents being affected but only because the letter is meant for the MD Attorney General’s Office. Who knows how many more were affected? More importantly, why was data encryption software not used to protect the data?
False Sense of Security
More often than not, companies do not properly protect their desktop computers because they’re under the impression that such technological behemoths are not “portable” enough. On a relative measure, this is true. You can slip a smartphone into your back pocket, making it the “poster device” of device portability. Desktop computers, in comparison, are not especially designed for portability. Indeed, they’re not designed for portability at all.
But that doesn’t mean that desktop computers are not portable. Many of today’s desktop computers are about the size, and sport the heft, of a college textbook. Mid-towers from the late 90’s are bigger but not much heavier, and I can say from personal experience that I can carry two of them easily, one under each arm.
If you’re a janitor with a cart, who knows how many you can lift before placing a smattering of balled-up sheets of paper on top to camouflage your deceitful activities?
The risk of such a thing happening is low enough that, at a certain level, it makes sense that encryption was not deployed. And yet, if you’re storing credit card numbers (which is something of a no-no under PCI-DSS rules) on your computers, many would consider it neglectful not to have adequate protection regardless of what the risk happens to be.
False Sense of Security II
Let us consider this potential scenario: a janitor – who happens to be a nuclear physicist in his old country – decides he can make some cash by stealing sensitive information from improperly secured computers. He accesses the unencrypted computers at the offices he cleans, searches for potential credit card numbers, and downloads it to a USB flashdrive that is the size of a US quarter (i.e., 25 cents bearing the profile of G. Washington).
You say, ah! but the computers were password protected! And I say, ah! but the nuclear physicist probably knows that password-protection means bupkis because it’s not encryption! Despite the name, depending on the system that is used, bypassing password protection could be as easy as starting up the computer using a free-to-download software that is burned to a DVD disc.
Without encryption software – which employs system access control as well as data access control – it would be hard to tell whether a desktop or laptop computer was breached or not.