WASHINGTON IGNORANCE IS BIGGEST THREAT TO CORPORATE INFORMATION Biggest threat to corporate information: Ignorance:

Biggest threat to corporate information: Ignorance
Laptops are just one aspect of protecting a company's security
By ANDREA JAMES
P-I REPORTER

Corporate executives listen up: Valuable company information is getting into the wrong hands. Sensitive documents are walking out in briefcases, bytes of data are zooming away over the Internet, and those internal files you thought were history are probably lying, unshredded, in some Dumpster.

"You are losing tons of information on a daily basis and don't know it," Dan Verton, executive editor of Homeland Defense Journal, said Tuesday. "A lot of companies ... they want to bury their heads in the sand, they want to ignore it. Shareholder value is the rule of the day."

Verton was one of four panelists who spoke at a security summit hosted by Xerox Corp. at the Space Needle on Tuesday morning. Most of the 90 attendees were security officers and information technology managers from 70 companies. Very few attendees belonged to senior management, according to a show of hands.

Corporate top brass tends to ignore security issues until information is stolen and the company is embarrassed. Once something bad happens, then executives have "what we in the South call a come-to-Jesus meeting," said John Nolan, co-founder of the Huntsville, Ala.-based Phoenix Consulting Group.

Stolen laptops are the latest security topic for now. Last year, The Boeing Co. and Starbucks Corp. were among a slew of organizations that lost laptops containing sensitive information.

Most companies don't report security breaches if they can help it, said Verton, a former U.S. Marine Corps intelligence officer.

In the past two years, more than 100 million data records of U.S. residents have been exposed in security breaches, according to the Privacy Rights Clearinghouse.

Verton believes that the next big threat will come from zombie networks of compromised computers that know how to talk to one another. Cybercriminals infiltrate the computers using spam e-mail and then control them in the background, he said after the conference.

Today, virus attacks are the largest source of financial loss, followed by unauthorized access and then theft of laptops and proprietary information, according to a 2006 Computer Security Institute and FBI survey.

But even as threats vary, hackers get more savvy and security gets tighter, one thing never seems to change: The biggest risks come from within.

"It's not because people are criminally oriented, it's because they are social animals," Nolan said. "The greatest majority of vulnerabilities derive from people who just don't know better."

Steve Lutz, president of Seattle-based WaySecure Consulting Inc., makes a living hacking his clients to find weaknesses.

"One of the things I'm known for is breaking into things. We do that. We usually succeed," he said. "Hacking a person is a lot easier than hacking a computer."

Making new hires sign acceptable use policies won't cut it, panelists said. People don't read them, or they don't care because rules usually are not enforced.

New college graduates are savvy enough to find ways around controls and Web mail blockers, the panelists said. That's why it's important to train employees to be careful.

"These are people you are going to be hiring," Verton said. "They don't have the same understanding of acceptable use."

Though the Economic Espionage Act of 1996 makes it a crime to steal trade secrets, companies should not leave it to the federal government to protect them, panelists said. The federal government struggles with keeping its own data safe. The Commerce Department has lost more than 1,000 laptops since 2001 and the Veterans Affairs Department had data stolen on more than 26.5 million veterans and active-duty troops, it was reported last year.

In an interview, Lutz pointed out one Fortune 500 company that left the vendor-issued password unchanged on its virtual private network. One of the first things hackers do is try known or commonly used passwords. Within seconds of trying a vendor password, Lutz was able to access the company's financial records, human resources files and marketing secrets.

Summit attendee Dan Waite, who heads security on the West Coast for Weyerhaeuser, said that a significant portion of his job involves protecting the company from its own employees.

"Most of what they said is something that we've been dealing with for years," he said.

Preventing a data breach

Keep laptops or PDAs in sight

Cross-shred, burn or pulverize papers

Use strong passwords

Enable password-activated screen savers

Audit computer networks regularly

Tell employees about security policies

Determine what information is confidential

Train staff on securing information

Conduct employee background checks

Punish security violators

Hold management accountable

Sources: Attorney General Rob McKenna; P-I reporting
P-I reporter Andrea James can be reached at 206-448-8124 or andreajames@seattlepi.com.