VSJ – July 2005 – Sounding Board

Robin Jones frets about security threats from apparently innocent sources.

Apple’s iPod has been causing a stir in numerous forums lately. There are the obvious concerns regarding P2P and DRM issues of course. But a more interesting question (to me, anyway) concerns its potential use in business espionage. iPods – and most other USB devices – are just, at root, more forms of external storage, so any quantity of unsecured data can be drained from organisations’ databases unless there are explicit mechanisms in place to stop it.

A recent report from Centennial Software suggests that almost 9 in 10 companies in the UK don’t prevent such devices being connected to the corporate network. About a third don’t think it’s a problem. Well, let’s consider an example drawn, so far as I know, from my imagination not from real life.

Joe Flake works for Solid Homes Estate Agents. Fly-by-Night Estates has offered him a job at an inflated salary so long as he provides them with Solid Homes’ client list. Solid Homes uses digital cameras to snap houses for sale, so no one thinks it strange when Joe puts his, employer provided, camera into the USB cradle. What they don’t notice is that he isn’t uploading photos but downloading client data. He slips the memory card into his pocket and replaces it with a new one. Unfortunately, there is a hole in his pocket. As luck would have it, when it falls out, a client of Solid Homes picks it up. On discovering its contents, he is outraged to find his personal details available to all and sundry. He complains to the Information Commissioner. So what started as a piece of industrial espionage that probably wouldn’t have harmed Solid Homes much, given that its clients sign contracts that limit their future actions, has become, at the very least, a public relations disaster.

Yes, I know, the data could have been encrypted and, in an ideal world, would have been. But even then it only makes things a bit more difficult for Joe. He would have access to the data, if only record by record. So a few nights of ‘working late’ and feverish cutting and pasting would probably do the job for him. Ah, you say, plus ça change, 20 years ago he would have ‘worked late’ photocopying what he needed. True, but 20 years ago Solid Homes wouldn’t have had the Information Commissioner to deal with.

So…is it a problem? And if so what do we do about it? Answers on a postcard, please…

[Something you’d like to get off your chest? Email me (Robin Jones) at eo@iap.org.uk.]

Comments are closed.