An employee for Northern Trust Bank was caught selling electronic office equipment on eBay, as well as putting them up at pawnshops and selling them to his own colleagues at the bank.  The thefts occurred between May 2005 and Nov 2006, when he was arrested.  Most of the equipment that was stolen consisted of computers and peripherals, such as laptops, desktops, LCD monitors, and printers.

Bank management became aware of the thefts when 12 laptop computers went missing.  An investigation following the theft of the laptops revealed the true extent of the misdeeds.  The above story highlights two things to keep in mind when practicing data security.

First, size does not matter when theft is the purpose; anything is fair game.  A lot of people seem to forget this when an actual crime occurs.  Too many people raise hell over sensitive information being stored on a laptop computer, for example.  They’ll point out that laptop computers are designed for mobility.  I’d like to point out, so are desktop computers.  I mean, have you seen what IBM used to sell prior to the invention of the desktop computer?  Desktops were not designed with convenience of mobility in mind, but they certainly don’t require a tow truck.  Those machines were designed so an average joe could pick it up and move it about.  If your information security manager is relying on a computer’s form factor as a security measure, I’ve got news for you: you’ve got a terrible security manager.  Unless you happen to reside in a community of skinny‑armed Buddhist monks who live on a supercharged grain of rice a day, that is.

Plus, plenty of people are using laptops computers as desktop replacements nowadays, meaning “laptop” does not always equal mobility.  I can point towards my own ThinkPad as proof.  And for those who would continue to argue that they’re easier to steal, give me a break: if a thief is already within the security perimeters of a building, he can steal whatever he wants.  Reiterating my point, size does not matter.  It’s this obsession with size that prevents people from seeing the big picture: in the digital age, you’ve got new methods of protecting what’s really important, like hard drive encryption to ensure that a physical act (theft) can’t affect your metaphysical assets (your client data.  You’ll want backups, obviously).

The second thing to keep in mind is, you need to perform audits regularly and ensure that it’s performed by a neutral party.  For a bank, filled with management types inculcated in viewing the world in terms of profit and loss as well as risk management, it’s hard to understand that they have gone an entire year without realizing that stuff was missing—a sure sign that audits are not being performed by the bank.  If they only spent as much time on their inventory as they would on ensuring the accuracy of balance sheets...  I’m sure that it didn’t help that the person committing the crime was also the bank’s computer information technician.

There are products that were built with the above two points in mind.  AlertBoot, for example, not only allows one to encrypt and manage thousands of computers from a central console.  It also features powerful reporting so that audits can be performed on the encryption status of each computer and control user access to each machine.  This way, if problems do arise, those in charge of security can act ASAP and lower the risks of an information breach.