PC Data Security Blog

Relying on user compliance is risky business.

Most of us have become desensitized to the almost daily reports of laptop loss or theft. Heck, I barely notice them anymore - and I’m in the industry! What blows me away though, is the boilerplate mantra from the spokesman of the at-fault company when defending their indefensible position with the media. Always well-rehearsed and nearly believable, those statements are derived from the now necessary PR outline, “CYA: Laptop Loss, What to Say to the Press”. I happen to have found this early version used in 2006 by a very large aeronautics manufacturer. It has been used and personalized hundreds of times since by companies big and small. Here it is:

“CYA: Laptop Loss - What to Say to the Press”

(note to spokesman: whenever possible try to assign the loss as a theft. A simple loss implies that the user may have been flippant, careless and/or negligent).

1.    (your company name) is very concerned about protecting the privacy of its employees customers and/or clients.

2.    (your company name) has no reason to believe that the laptop was stolen for anything other than the hardware value

3.    The laptop was protected with passwords

4.    The employee of (your company name) is being reprimanded (or terminated) for violation of data security policy. Cite one of these policy violations:

a.    employees are prohibited from taking sensitive data outside business walls on laptops

b.    employee shared or otherwise exposed passwords and/or login credentials

c.    (your company name) has selected, and is in the process, of deploying encryption but have not yet completed the rollout

d.   if possible, assign blame to a rogue contractor, vendor or service provider. This action tends to confuse readers as to whom is really at fault for the breach

5.    Reiterate that “because (your company name) is very concerned about protecting sensitive data,” better and more strict employee (or vendor/contractor) data policy will be effective (fill in reasonable time schedule).

C’mon! We’ve not seen the frequency of laptop loss hit even a small speed bump since ‘06, yet we kept being fed the same BS. Users are not going to consistently adhere to policy. Why? Because security almost always comes at the expense of productivity. Here is the simple truth: You can’t rely on your users for effective security. Whatever solution is chosen, it must have absolutely zero reliance on user involvement.

Case in point, this is a photo of actual user’s laptop with passwords written in on the wristrest of the laptop (via Securi-D’s Weblog):

I would like to see this problem go away, but until it does wouldn’t it be refreshing to hear the next at-fault company admit, “We never thought it would happen to us. Yep, we screwed up. We accept full responsibility and are implementing (chosen solution) immediately that will protect our customer (or employee) data no matter what our user does.”

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment