There is an ongoing communication campaign for a big interim company on the Belgian radio stations. The message they are broadcasting is: “Do not rely on your company physical assets but more on people“.
And they are right! People are the most important value of a company. Even if you, manager, have the best infrastructure, the best tools, the best applications. All of them are operated by… people! In case of a server crash or if a production machine is broken, it can be easily replaced. But people…
The same principle can be applied to IT security. What are the most important assets? Data! Your servers, your firewalls, your switches can be easily replaced by spare ones but data can’t! Your security policy must protect your data.
Here is a very scary example to not follow. My wife’s company will move this weekend to a new location. For a while, the move is prepared by professional movers. The last day, managers asked all team members to pick up their own desktop PC for the weekend and bring them back to the new location on Monday. The invoked reason is a financial one: Moving PC’s will require extra costs.
So, my wife arrived at home with her corporate PC. It was too tempting… My bootable BT4 USB key inserted and let’s go!
- No BIOS password
- No protection to prevent booting from an alternative device
- No disk encryption
I didn’t boot the PC to prevent any change on the file systems, just read them. Even if they have network shares, documents are still stored on the local disk, mail folders are also stored locally with very nice informations to conduct a social engineering attack and much more.
My wife’s company is a big player in its domain and must respect NDA’s with customers, partners. What are the risks estimations of having ~100 PC outside the security perimeter and with direct local access. What if one of them got stolen during the weekend?