Security Manager's Journal: It can take a crisis to change a policy

Computerworld - This is a story about how budget cuts take a toll on security, but it's also a tale about how security setbacks can be opportunities to introduce much-needed measures.

When the recession led my company to cut costs about a year ago, one of the decisions was to close a major facility housing some 1,200 employees. A lease agreement meant we couldn't start moving those employees into our headquarters building until last week, when 200 made the move.

When the moving truck arrived here, the movers propped open one of the building's side doors. That was a mistake, made worse by the fact that the budget for guards at headquarters was also cut last year. No guard was available to watch the truck or that open door, and the movers, of course, were too busy moving things to provide security.

That big moving truck outside of an office building must have looked like an invitation, because someone took advantage of the situation and sneaked into our offices through that side door. That person then proceeded to steal unsecured laptops from open offices and cubicles. He got 25 of them, apparently making several trips in and out through that door. He might have gotten more, but on one of his trips out of the building -- when he was carrying five laptops -- an employee challenged him. He ran to his car and took off. Another employee chased the thief but was only able to obtain a partial license plate number. But we know the make of the car and have some video footage from our security cameras, so we're hopeful that we'll be able to recover our goods. In the meantime, data and intellectual property are at risk.

As I said, though, unfortunate events are sometimes the needed impetus for making changes. My experience has been that when bad things happen, I have about a one-to-two-week window of opportunity. I seized the moment.

Grabbing the Chance

First on deck is full disk encryption. We tried to implement it about two years ago, buying the product put out by PointSec (recently acquired by Check Point Software). But some simple things impeded widespread adoption. For example, a lot of our employees use laptops inserted into docking stations, and they couldn't use their USB mice and keyboards until after they logged in. There were also problems with hibernation that I understand have been fixed in newer versions of the product.

These aren't problems that justify failing to use encryption, and my new, post-theft goal is to have our general counsel support a policy making it mandatory for some employees -- i.e., those in legal, HR, finance and the executive offices.

I'm also going to push a group policy requiring that a password lock kick in after a set period of inactivity. Many of the stolen laptops were logged in, giving the thief full access to the information on them. The cost of the laptops is negligible compared to the potential losses to the company and to the individuals whose identities could be stolen through the personal information they kept on their machines. The reason we don't already have such a policy is that it would affect some of our engineering tools. But I think the laptop theft adequately demonstrates that the risk from not locking machines is greater than the benefit to engineering.

Finally, I will take steps to raise awareness about personal security, laptop locks and the need to be aware of those around us.

I wish it didn't take a near catastrophe to drive change. But since that's the case, I can always hope that next week a vendor will plug his laptop into one of our shared office environments and I'll finally be able to start my network access control project.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join In

To join in the discussions about security, go to computerworld.com/blogs/security

Read more about security in Computerworld's Security Knowledge Center.