BreachExchange mailing list archives
Re: [follow-up] Boeing fires employee whose laptop was stolen
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Mon, 18 Dec 2006 10:31:37 -0500
Media relations and public relations are about spin. Security is not about spin. The two subjects do not mix well, especially when the dynamic of human interaction and human perspective is put into the mix (and management is nothing if not about human perspective). Any security (physical or data) is about percentages and odds. You will never stop 100% of all intrusions because of the incredibly complex nature of technology (just as, for instance, you'll never make a device that prevents 100% of car thefts). You can implement security policies, you can implement "defense in depth", or you may implement a bomb that makes a laptop explode if an unauthorized user tries to boot it up, but there will always be the one exception who gets around your security. If statistically speaking, most laptops are stolen by petty thieves who want to pawn the machine, but who are not PC Technicians, then the statement that the data is "Probably not compromised based on a machine password" has merit, at least mathematically it has merit (This actually reminds me of the discussion of how large a hard drive is, based on the sales data or the technical specifications). (Personally, I like biometric hard drives that retain security settings even if moved from machine to machine. I've also seen some products recently that will destroy the contents of a laptop if it does not connect to the corporate network within a defined period.) Most people who make these statements aren't being intentionally misleading, they are trying to put a positive "spin" on the incident, and their meta-message is actually: "Statistically speaking, the data is unlikely to be compromised based on the specific facts of the crime". With no outside factors considered, a basic risk analysis would not find a large financial risk to the company that lost the data, and only a "minimal" risk to the individual who's data was lost (about $2500 & 40 hrs was the last figure I saw). That's why we are seeing Privacy laws; to increase the risk to the company through a fine structure, in order to make it financially attractive for the data handler to implement more expensive security measures. So, if you wanted to ask a hardball question, you might restate that point and ask: "Apparently you've done a risk analysis. What did you find to be the actual likelihood that this particular set of data will be abused?". Follow-up questions could focus on determining if the company is even aware of the costs to the consumer who is a victim of identity theft. I personally have found my best success at penetrating the corporate bureaucratic mindset is when I can make the employee think of himself as the victim of the theft. It's really important to try to understand the motivations of the entire team, and what their goals are. Understanding what the employees are trying do is important, but understanding why they are trying do it sure makes security a lot easier to design & implement. Andy Dail Sunoco PCI Project Manager This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years.
Current thread:
- Re: [follow-up] Boeing fires employee whose laptop was stolen DAIL, ANDY (Dec 18)
- Message not available