It's lunchtime. Do you know where your company's confidential information is? Alexander Kesler, president of Boston's zTrace Inc., knows a company whose executives thought they knew the answer to that question. But during lunch one day, thieves disguised as electricians spirited away three laptops. Panicked, the firm bought five new laptops, but within five days they had been stolen as well. "You would have thought they would have protected them after the first time, but people tend to not do that," Kesler says. "They thought, 'It happened to us once, so it's not going to happen again.'"
What most companies don't know is that physical exploits can compromise computer systems just as easily as more esoteric, Net-borne assaults. Purloined laptops, stolen passwords, "dumpster diving," unlocked doors--all put a company's most privileged information at risk. What's more, the material world opens security loopholes that are aren't available in cyberspace, says Richard Moxley, vice president of technology at Blackbird Technologies, a computer security firm in Herndon, Va. "What we tell our clients is that if an attacker has unrestricted physical access to a system, that's generally sufficient to defeat any security measures you build into the software and configuration."
That's particularly bad news for e-business, where customer data is held in trust and even a hint of physical vulnerability can give investors cold feet. John Klein, president of Rent-a-Hacker, a security consultancy in Fergus Falls, Minn., points out that some users may not realize what sensitive information they hold. The Web design department, for example, often has access to e-business transactions. "When a customer's credit card gets used, that can't be handled internally," he says. "The company has a big problem."
Because of the risks involved, some companies may insist that a potential business partner undergo an independent security audit. In the financial sector, for example, organizations must comply with a set of auditing standards intended to assess both digital and physical vulnerabilities. Moxley says he expects other business sectors to follow suit. "In the future there's going to be more of an opportunity to specify what a partner's obligations are," he says. "I think you're going to see more of that kind of thing, just as a matter of due diligence among partners that are exchanging data."
E-businesses may also be obliged to beef up their physical security in order to secure funding. Moxley describes a case in which an e-commerce firm was seeking venture capital for a Net marketplace. "Before the investors would release the money, they wanted to see an independent assessment of the security of the system." Underwriters also like to see evidence of physical security before a company goes public.
The good news about physical assaults is that, unlike virtual security, most can be prevented by following a few fairly simple security practices.
The enemy within
The easiest way to lose confidential data is to let everyone have access to everything. Unfortunately, that's a fair description of some firms' policies. Many small offices don't monitor access or make sure employees log off computers when they leave. Klein of Rent-a-Hacker says that kind of climate invites security breakdowns. Most perpetrators are employees who want privileged information, but once in a while, competitors break in.
According to Klein, thieves often just sit down at someone's keyboard and start digging. Sometimes they'll do it after hours, but just as often the intrusion will occur while others are walking around, minding their own business. If a computer is secured with a password-protected screensaver or a firewall, it's still not safe. Some screensavers are easily thwarted with a Control-Alt-Delete; whole systems can be laid bare by booting a computer to a floppy disk or CD with an alternate operating system. Or a thief can rely on speed, slipping into a user's chair in the unguarded moments before a secure screensaver kicks in.
By and large, breaches by outside parties are less common than inside jobs. But contractors--or people posing as contractors--can also endanger security. That sounds paranoid, but a hardware engineer for a New England networking company who requested anonymity says that a certain degree of paranoia is healthy. "If someone has a reason to want to look inside your systems, they can very easily sneak into a cube farm in a tech company or a departmental office in a university," he says. Generally, if you know what you're doing, it's easy enough to get anywhere you want that's not heavily defended."
The best way to prevent break-ins is to make sure people don't go where they don't need to be by segregating business units and installing a keycard system. Engineers' keycards shouldn't allow access to the accounting department, and Web designers' cards shouldn't open the door to ad sales.
Outsiders can be monitored by traditional security means. "Have it set up so that someone who doesn't belong there stands out, whether that's by requiring that people be escorted, or requiring that there be badges," Moxley advises. "People should have to sign in and sign out." Alarm systems and video cameras can thwart after-hours intrusions.
Above all, employees should be enlisted in security efforts. Vice presidents as well as customer service reps should understand that it's their responsibility to watch for signs of illicit activities: employees using systems in ways that don't seem to relate to their jobs, inexplicable changes in people's work patterns, strange network malfunctions. "As far as actually protecting the computers, it's almost as much the individual's responsibility as it is the company's," says the hardware engineer.
Paper, paper everywhere
Proprietary data has a bad habit of walking away, and companies should never forget it when they take their trash to the dumpster. Moxley says that industrial spies have been known to rifle through printouts, paper waste, and magnetic media to find network diagrams, passwords, and user lists. "Going through trash is a fantastic way of doing target analysis and gathering information that will help them break in," he says. Even a phone list can be problematic in the wrong hands. Thieves can assume the identity of an employee, call the company's help desk, and ask for a new password.
Passwords, the most common and cheapest form of computer security, are the stuff of life for material-world hackers. Most computer users choose generic, simple passwords that can be easily guessed or cracked with brute-force programs freely available on the Web. In response, many companies require users to combine upper-case letters, lower-case letters, numbers, and symbols in their passwords. But this creates another problem--when a password is difficult to remember, people tend to write it down--the Post-it notes syndrome. Administrators should try to strike a balance between the simple and the obscure.
An even worse password infraction is sharing accounts. That's bad enough in a company where everyone has his or her own cubicle, but it's a massive headache in a shared-terminal environment. One of Klein's clients is a magazine subscription fulfillment company where only three out of 2,200 employees have their own computers; everyone else shares. "The call center manager has to enforce that they don't give each other usernames and passwords," he says. "If one guy's logged in for three weeks at a time and everybody uses it, then we don't know who did what when something goes wrong."
Employers can best reduce password abuse and loss by setting and enforcing policies. The IT department needs to communicate with the frontline managers and explain to them why security policies exist, so the company's security isn't compromised by lax behavior.
Trouble on the move
It's common practice for thieves to stroll through unlocked offices with impunity, picking up one or two computers for the road. Many companies stymie such thefts by tethering machines to the desktop with cables, but that tactic doesn't work for portables. Notebooks left lying around the office can be waltzed out the door under a coat. And traveling laptops are the easiest pickings of all.
"Most laptops are stolen at conferences, expos, hotels and airports," Kesler says. "Then, thieves resell them through Internet auctions or want ads in the newspapers." Insurance statistics show that the average stolen laptop costs a company about $80,000 in lost productivity, corporate secrets, and irreplaceable data. Kesler's company markets software that resides invisibly on a computer until the owner reports the unit stolen. Then, if the computer is used to log onto the Internet, zTrace's server homes in on it and notifies police. Sometimes the data is intact; Kesler says that most computer thieves are in it for the 70-cents-on-a-dollar resale value, and usually don't bother to delete files.
But if the thief is a hacker, or knows a hacker, look out; hooked up to a DSL or cable connection, an employee's notebook can function as a back door into the network for Trojan horses (the type of hacking program that attacked Microsoft), worms, and humans bent on destruction.
A company's servers, repositories of its most precious information--client lists, credit card numbers, contracts, sensitive e-mails, software source code--are not immune to tampering. Most small and to mid-sized businesses don't have the resources to guard the crown jewels around the clock, which explains the growing popularity of Web hosting in Internet data centers (IDCs). Data centers, the digital equivalent of Fort Knox, provide both redundancy (to guard against lost data) and secure space (to keep intruders' hands off the goods).
Steve Urquhart, a branch manager at Firstworld, a Denver company that operates a nationwide network of IDCs, says that any downtime, whether accidental or malicious, is poison to a computer-based company. "Not only do you lose sales that night, but you probably lost that customer, because he's going to go somewhere else," he says. "If it hasn't happened to you, it's probably going to."
Data centers like Firstworld aren't impregnable, but they're as close as you can get in an insecure world. They employ human security guards, keycards, escorts, identity cards, off-site monitoring, video cameras, two-way mirrors, and a variety of other measures to protect data. It's worth touring a state-of-the-art IDC even if you plan to take responsibility for your own server security; you may pick up a few tips.
Jamie Swedberg is a freelance technology writer in Nashville, Tenn.