Risk Assessments/Management, Data Security, Encryption, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

How one lost laptop can have a giant impact

Share

As the CTO of a data protection and encryption company, I hear many a tale of woe as other CTOs and CEOs confess to me the stories of how various laptops within their companies have gone astray and the destruction these lost laptops have caused in their wake.  With this in mind, here is one such tale of woe, albeit fictional, that I have heard time and time again.

Where do I begin? If the evidence is to be believed it stems back to, what I assumed to be, a fortuitous meeting in the bar at the Waldorf.

Sarah Smith had been our top deal closer for the previous three years and I personally was devastated when she announced she was defecting to our main competitor. It was lovely to bump into her and catch up with how life was going and I actually thought that I might be able to persuade her to come back. How wrong was I!

I didn't even realize that my laptop was gone at first.

The new client that I had arranged to meet failed to materialize and I'd wanted to check the arrangements in my emails. Initially I didn't panic and simply assumed that I'd left the laptop in my car. When this turned up a blank I drove back to the office convinced it would be on the desk. Even after it became clear that it was missing, I still didn't connect the two – in fact I still can't believe it's true.

To be honest, I assumed that I'd left it somewhere and it would turn up in a day or two. If it had been stolen, then it would be wiped clean and sold, probably on eBay. I know there had been numerous warnings from IT, and shed loads of budget spent, to thwart the motivated thief who steals laptops to order – but that was just in Bond films, not in the real world, and certainly not in mine.

I left it a few days in case it turned up but eventually rang Simon in IT to ask for a new laptop, ASAP. He didn't seem happy that I'd left it a week, but I hadn't wanted to waste money on a new device unnecessarily, and I was unperturbed at his concern that I'd lost mine. I thought him patronizing when he reassured me “not to worry as everything would be okay because it's protected by really powerful encryption software, the best money could buy – which would prevent anyone from actually accessing my files and data.” I thought his reaction of almost squealing down the phone and then gasping for air, to my admission that actually I'd been too busy to install the software, after seeing his email about following his simple, must-do instructions for our company's new “state-of-the-art” encryption solution, a tad over the top! He also wasn't too happy that my password was my surname56 – he seemed amazed that every month, when I was forced to change, I just increased the number. Surely I'm not the only one who does that? I couldn't understand what all the fuss was about.

Simon wanted to know if there were any documents that could potentially cause a problem and of course there weren't, except perhaps the Microsoft Word document with the usernames and passwords I used, and the networking details to connect the laptop to the network – who could remember all those codes and instructions. The color seemed to drain from his face and I think it took everything in his power not to strangle me. As he left, his passing shot was “he was disappointed”. Well, so was I, how much had we spent on security software with no real return? And he was trying to make out that it was my fault the system could have been compromised.

I received my new laptop, complete with encryption that I couldn't bypass, and I thought that was the end of it. In fact, it was just the beginning.

At first it was little things.

The list of companies that had been identified by Tim, the new business development manager, had all been approached by Sarah's company in the last few days. Any appointments we did secure ultimately declined our proposals citing they'd been given a better deal. Tim was given his marching orders pretty quick – there's no point having someone with their finger on the pulse if it's the same one as the competition.

I then started receiving complaints from existing clients with some of the miscellaneous costs on their service invoices – some had been with us for almost 10 years and never seemed to mind before. Although none of them would go on the record, a few that I considered friends informed me that they'd been approached by members of Sarah's team who'd “made them aware” of what our mark up was. This was something that the majority of our own sales team weren't privy to, so how could Sarah's team know – Sarah didn't know, did she? How could she? Unless she'd seen something while she was still walking our corridors. We really must lock down sensitive information.

I think what first aroused a fragment of suspicion was Sarah's company launching ‘Chrysoar' the week before we were due to release ‘Pegasus'. I know there's usually some speculation in the market ahead of a big launch, and we'd certainly caused a few rumours during our development and testing phase, but I hadn't even heard a whisper suggesting our competitors were thinking along the same lines – let alone developing a counterattack. Just shows how much I know. Every TV station, radio channel, newspaper and magazine we'd booked advertising with was carrying theirs the week before ours – it really looked like we were the ones playing catch-up when we went live. Even their press release was the same and we'd had to spend a frantic few days getting that rewritten and approved. Surely that couldn't have been coincidence. We won't be using that communications agency again. They obviously can't be trusted. It's a shame because they'd done some good work for us during the last five years.

I think the penny started to drop when all our top-performing employees received approaches offering alternative employment. Every offer played to what the individuals hold dear – Steve's remuneration package would include free travel and extra leave to visit his family in Barbados. You could argue that Sarah knew that was a gripe of his while she was with us but she didn't know the new boy, Mark, had a passion for baseball so his enticement included tickets to six of the best games every year. Simon was told that the budget for security was as large as he felt it needed to be! For some strange reason, David in HR didn't get approached.

When I received the brown manila envelope, with pictures of me and my ‘lady friend', with a request for £100,000 for it to remain between the three of us, I realized that perhaps my laptop might be haemorrhaging its secrets.

The meeting between me, senior management, IT and the security team was an interesting one. You could have heard a pin drop when I confessed that perhaps there were some documents on my laptop after all that could potentially be sensitive, in the wrong hands – i.e. Sarah's. Tim had sent me an email sharing his short list of targets; Talia in accounts had sent me copies of the latest client contracts. I'm pretty certain I'd been copied in on the marketing plans for the product launch. I knew for a fact Brian in HR had sent me the employee database so I could send everyone a Christmas card. In fact, I don't think I'd even had to tell him that was why I'd wanted it.

There were legitimate reasons for me having this information and I hadn't realized it could ever cause a problem. I know IT had said that laptops could be targeted but I never really believed it. If the truth be told, I don't think they did either, not really.

The lecture from the security officer was so degrading. Fair play to the IT Team, they certainly did all they could to help me, both before and after the theft, and it is true to say that if I'd followed the advice and adhered to the security policy I wouldn't have been in this position, but still – did he have to say “I told you how important it is to encrypt your laptop”. He loved pointing out how important it was to lead by example and that “he can only do so much, but at the end of the day everyone within the organization has a responsibility to protect the data they work with and rely upon.”

To top it all, the snickering as I walk through the corridors is driving me insane – especially as I know I deserve it.

Ah well, after today I'll be able to draw a line under the whole sorry affair. I wonder what it's going to be like not having to get up tomorrow to go to work. Fingers crossed I won't be unemployed for too long but I'm not going to sit by the phone.


I'm sure we all recognize the hapless CEO in this sorry tale – and if you don't then may I suggest you take a long look in the mirror. It is true that our story is completely fictitious and no names have been changed to protect the identity of those involved – but it is based on real events happening in organizations every day. Make sure it doesn't happen in yours.



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.