CANADA LAX SECURITY LEAVES DATA OPEN TO THIEVES globeandmail.com: Lax security leaves your data open to thieves http://www.theglobeandmail.com/servlet/story/LAC.20061109.TWDATAT09/TPStory/Business

Lax security leaves your data open to thieves

Sloppy protection of company secrets can land them in the hands of competitors

RAF BRUSILOW

Special to The Globe and Mail

At the end of June, 8,000 clients of MD Management Ltd. were shocked to learn that a laptop from its Edmonton branch containing their personal, financial and professional information had beenstolen from a car in the parking lot of a shopping mall.

Ottawa-based MD Management, which is a subsidiary of the Canadian Medical Association and provides financial services to Canadian doctors and their families, responded quickly, notifying authorities and hiring an investigator to try to track down the laptop. But the computer, and the thousands of personal and financial files it contained, were never found.

The incident is by no means an isolated one.

Other recent cases of stolen data include a laptop containing 900 client files swiped from an Ottawa branch of Bank of Montreal and the theft of 2,000 consumer files from the offices of Montreal-based credit reporting agency Equifax Canada Inc. Both cases are still being investigated, though no frauds have been reported in connection with either of those cases or the MD Management laptop theft.

Despite growing awareness of data theft and identity fraud, experts say security habits are getting sloppy. And they have a sobering message: The black market in stolen digital information is booming.

The value of stolen data -- corporate and personal -- is at least $65-billion (U.S.) in the United States and $12-billion in Canada, according to David Drab, a 27-year veteran of the U.S. Federal Bureau of Investigation's counterintelligence and organized crime division, who now works for Xerox Corp. as global head of security. But the real numbers could be as high as five times those estimates, Mr. Drab said, because the majority of data thefts are not reported. Many companies see no benefit in revealing publicly details of a security breach that might damage their business.

"It's a lose-lose situation [for businesses] because you have shareholders looking at you, you have investigators involved and it's disruptive to an organization. No one wants to be tarred and feathered in the press," Mr. Drab said.

Security author and cyberterrorism consultant Dan Verton said some cases show that the sophistication being employed by data thieves is keeping pace with advances in technology.

"Nowadays, criminals walk around parking lots with wireless scanners and they look for signals from wireless devices. You don't even have to touch a person -- you can walk right by them and scan the data right off their laptop or cellphone if it's not configured correctly," Mr. Verton said.

Both experts say most deliberately stolen data is sold on the black market through anonymous "data brokers" who trade the information to organized crime rings. In the case of corporate secrets that find their way into competitors' hands, an even more chilling revelation awaits: Most common data thefts occur from within an organization, often by employees leaving the company for greener pastures.

"Competitors are receiving résumés with attachments and those attachments often are schematics, documents and secrets, in an effort by an employee to secure a new job," Mr. Verton said.

"It's not enough to make employees promise not to do certain things, or to make them simply aware that data shouldn't be handled in a particular way. Companies have to have a technical enforcement mechanism in their procedures to protect their data."

An investigation into the MD Management theft by the Office of the Information and Privacy Commissioner of Alberta echoes that argument. The board lauded MD Management's immediate response to the theft but chastised the firm for its failure to encrypt or protect the data sufficiently.

The board suggested that businesses using digital records should not place the responsibility for security solely on employees. "While policy outlining who may store what data on a laptop and for how long is important," the report concluded, "organizations should employ other physical, administrative and technical measures that do not rely strictly on employee compliance."

*****

Protecting your data

Keeping your data safe takes more than a sternly worded mission statement. Security has to become an integral part of your corporate culture.Create a moat: Always ensure files are encrypted to block access to them if they are stolen. Microsoft Windows 2000 and XP Professional already come with encryption software installed, and there are a host of vendors that offer commercial encryption services from about $50 to $200 a device.

Put up a wall: Make sure access to files is limited to those who need it. The fewer people who have clearance to view a file, the easier it is to protect and track it.

Keep a poison pill: For those devices particularly jam-packed with valuable data, invest in wireless tracking software that checks your device against an Internet server. If your laptop or PDA shows up asstolen , reports several failed-password attempts, or perhaps is taken outside a preset radius, the software can remotely send a signal for the data to self-destruct, rendering it unreadable. Cost of your peace of mind: a few hundred dollars a year for each device.