“Never, ever put client data on a laptop — and if you absolutely must, keep that laptop physically attached to your body,” says Sharon Klein, a partner with Pepper Hamilton who counsels clients on privacy issues and and advises them on how to deal with the loss of sensitive customer data.
“If [a lost] laptop is not encrypted, that triggers notification of security breach laws,” she told CRM Buyer. “Then you have to go into a legal cycle of sending out letters [and] offering free credit-monitoring services.”
Besides the cost to reputation, the bite out of a company’s bottom line is usually five to six digits, she estimates.
Imagine then, her shock when one of her law firm’s laptops went missing, and client data was compromised.
The culprit? A vendor that downloaded information from the firm and then went to another client location. Although the sales rep left the laptop in a locked room, it was stolen.
Encryption, Encryption, Encryption
Incredibly, the vendor tried to argue with Klein about liability and whether the missing laptop trigged the notification laws.
“Since it was only password-protected, it triggered them,” she said, although opposing counsel tried to argue otherwise. “The law is very clear on that.”
There are two points to the story: One, if you encrypt data on a laptop, then you do not have to go through the painful act of notifying your customers that you were careless and irresponsible with their data — even if a machine is lost. Not many firms seem to realize that, Klein said.
Two: Beware of sales reps, vendors and any other third parties that have any level of access to your data. They are the ones who represent the biggest security risk to your company.
Salespeople represent the biggest potential security risk to small and medium sized businesses, a recent MessageLabs survey showed. This result makes sense, Mark Sunner, chief security analyst at MessageLabs, told CRM Buyer.
“Salespeople are usually within the age of 25 to 35 and are power Internet users,” he noted. “They are multitaskers and don’t put security at the front of their concerns.”
It is easy enough for a sales rep — especially one who’s on the road — to send instant messages or e-mail from an unsecured laptop or personal device. It is also easy to lose those devices while traveling. Encryption is rarely used because of the time it takes to boot up a system.
“No one wants to wait five or ten minutes for a laptop to come online when they are making a client presentation,” Sunner said.
Internal users, in general, present the biggest risk to a company’s security, commented Paul Henry, vice president of technology evangelism at Secure Computing.
“It’s not just salespeople. Consider teleworkers, which actually, in my opinion, are more dangerous to security than salespeople,” he told CRM Buyer. “Companies have had years of experience in reining in sales reps and instilling safe computing practices in them.”
Teleworkers, by contrast, are relatively new to the corporate world.
“Most sales reps cannot install anything on a laptop without company approval,” he said. “Someone who works from home can have all kinds of software on the desktop without the company’s knowledge.”
Only Just Begun
This is only the beginning of the problem, said Stan Quintana, executive director, AT&T, who is responsible for AT&T’s Managed Security Services.
“It will be become more prevalent as more wireless computing devices come onto market,” he told CRM Buyer. “It will multiply the number of access points for workers to pick up infections and pass them along to a corporate network.”
The biggest sleeper issue, though, he said, is the risk posed by customers accessing a company’s Web site. Now, most consumers expect to be able to pay bills online or from a PDA (personal digital assistant). “Conceivably, a consumer can unwittingly affect a network that way.”
In fact, this is already happening: SQL injections are a prevalent form of attack. Typically, a hacker attaches malware as part of a SSL (secure socket layer) transaction with, say, a bank. It is then injected into the company’s back-end system where it extracts information from a database.
The Internet-facing infrastructure is wide open at many corporations, Quintana noted.
“This is one of the biggest weak links in many companies’ security apparatus: a Web-facing e-commerce infrastructure that does not have any security filtering.”
Even companies that do have such filtering should not rest easy. Virus writers have proven to be resourceful and adaptable. As e-commerce continues to become more consumer-friendly, hackers will continue to avail themselves of the same entry points.