Employees Can Help Or Hinder Data Security
MUSKEGON — Employees are a company's biggest asset when it comes to keeping electronic data secure — "and also your biggest vulnerability," according to attorney Eric Grimm of Williams, Hughes & Cook PLLC.
Grimm and Mitch Dennison of Masana LLC, a Web and marketing solutions firm in Grand Haven, were invited by the Muskegon Area Chamber of Commerce to speak to business executives last week regarding data security.
Grimm and Dennison emphasized that criminals are always looking for customer credit card and other banking data that many companies store electronically. Dennison cited the case of Wesco, a Muskegon company with convenience stores throughout West Michigan. In the summer of 2006, credit cards used at Wesco stores were later billed fraudulently in numerous transactions. Federal authorities were involved in the ensuing investigation and Wesco posted a warning on its gas pumps, urging credit card customers to "verify transactions with your financial institutions."
Grimm said some "attacks" on company data are not done via the Internet but by individuals termed "dumpster divers" and "social engineers."
Dumpster divers look for discarded or misplaced data — both corporate and individual — either on paper or in any form of electronic storage, which can include cell phones. Computer hard drives bought on eBay have been found to contain sensitive information, said Dennison.
Dennison's first word of advice is "shredder — buy a shredder," or hire one of the many document storage companies that now are doing a brisk business sending shredder trucks to a customer's location.
As for electronically stored data, there is virtually no way to permanently erase it, according to Dennison and Grimm. Dennison told the story of how he used some Dutch software to retrieve photos in a digital camera that had been "erased" two years previously. He said he is also capable of retrieving data from a hard drive that has been reformatted and the original data overwritten dozens of times.
Free software is available on the Internet for erasing hard drives, which won't thwart a very determined high-tech attacker but will discourage less sophisticated attackers who aren't willing to spend a lot of time on it. Grimm said there is much "low-hanging fruit" elsewhere that attackers can get at easily, so that is where they will go.
Data encryption is a good means of protection from most "attackers," but Dennison said it should be encryption of the entire disk or hard drive, not just certain files.
"Social engineers" are con artists who can persuade someone over the phone that he or she is harmless and is asking harmless questions. Grimm said an expert on "social engineering" did a live demonstration in front of an audience of self-described "hackers" at a conference in New York in 2002. The "hackers" organization, which includes many digital security researchers, are actually only interested in discovering vulnerabilities in electronic data security. The expert called a Starbucks coffee shop and glibly persuaded an unsuspecting employee to give him a customer's credit card information. To listen to that conversation online, go to www.h2k2.net/panels.html, and click on "Social Engineering."
Grimm said sometimes employees will be as helpful as possible to a stranger on the phone because they think it is in the best interest of the company.
"Well-meaning people will inadvertently help the other side even when they don't mean to," he said.
He said management should involve employees in the organization's security process. “Employees, even low-level employees, can actually turn out to be the biggest security vulnerability. So you want to have them help you," he said.
Sometimes, he added, it even helps to reward employees who let management know of potential ways the organization data can be lost or stolen. Grimm said he would not advise management to urge their employees to think like computer hackers, but, he said, it is a good idea for management to think like hackers.
Grimm specializes in intellectual property law and has also had extensive experience in Internet and security issues. After law school, he worked for a large firm in Washington, D.C., where one of the partners had previously been legal counsel to the National Security Administration. Grimm has also worked with the Electronic Frontier Foundation, a nonprofit organization involving lawyers, policy analysts, activists and technologists defending the public interest in legal issues involving "digital rights."
Grimm noted that accounting firms sometimes offer data security audits to their clients. He also suggested that some companies might want to consider computer data insurance. There are also specialized companies "dedicated to doing penetration testing," he said, adding they can be found online.
The data security presentation was arranged by the Muskegon Chamber of Commerce Innovation Committee, which encourages its members to properly dispose of their computer equipment. Suggestions for doing that can be found on the Chamber Web site.