Written at home after a sleepless night thinking about real risks and dispatched via my home LAN.
Without revealing what I did or how and where I did it, I have to confess to having just done something absolutely stupid.
Exclusive column: The Naked CIO
See what this CIO really thinks…
Why? The probable culprits are tiredness, overload and my ageing brain. But the result was a seven-hour window when my company and personal defences were significantly degraded. Or as Scotty would have said – our shields are down to 60 per cent and only just holding.
While travelling I lost control of a couple of hard drives containing more than 100GB of information. This was something I had never done before in all my decades traversing the planet. My immediate reaction was, “Oh well – no problem. All the data on the drives is secure.”
Then my brain started whirring and it occurred to me that the state of security on those drives was originally established some years ago. As I played out the role of a would-be criminal in my mind, my unease started to increase.
The arrival of new software tools and social networks had occurred since I acquired the drives. What if you collected partial information from the hard drives and several of these sites? Would you be able to do any real and lasting damage?
The loss occurred at 10.30PM at an airport but I didn’t realise that the drives were missing until 11.45PM – and the airport didn’t reopen until 6.30AM the next day. By 1.30AM I was lying in bed mentally defrauding myself and stealing my own identity.
Could a criminal have done it? I concluded that a clever one could. The next morning I was thankful and very relieved to recover the drives and get back to normal.
But task number one was to try out my many devilish scenarios to see if the risk was real. It was. I could have done myself a lot of damage.
What did I learn? Something I really know well: security measures have to be continually reviewed in the context of a back-drop of accelerating technology, deviousness and social complexity that increasingly puts us all at risk.
The incident was entirely my fault. I raise my hand – guilty your honour. But I can guarantee that everyone reading this, and every company in the land, is also guilty by default. It is just so very hard to be vigilant all the time. Sooner or later we let our guard slip.
So here are my recommendations:
- Be paranoid – always assume there is a real threat.
- Always assume that sooner or later you or someone in your company will do something really stupid – no matter how smart you or they are.
- Lock down all vital documentation with passwords and encryption – and the emphasis has to be on the vital.
- Ditto for all working folders.
- Whenever possible use a priori knowledge and cryptic records to make information difficult to relate to or use in isolation.
- Use clutter as a means of hiding information – and there is a lot to use.
- Don’t waste time encrypting emails – they are inherently too cryptic to decode unless you are really in the swim of things.
- Take a long hard look at the information you make public on websites and social networks.
- War-game, or get someone else to war-game, the potential threats.
- Review security measures regularly.
It is also worth remembering that most information has a very short half-life and may therefore warrant fairly minimal protection. But in contrast things of this nature remain important and useful to the criminal even after we have departed this life:
- Date and place of birth
- Mother’s maiden name
- Father’s name
- Birth certificate number
- National Insurance number
- Driving licence details
- Passport number
- Bank and credit card details
- Employee number
The last scare I had of this nature occurred well over 10 years ago, and that was the second in my life.
Hopefully, having now had three over the past 20 years, there won’t be another one. But I’m not betting on it.