I regret to report that computer security and the security of personal and private information has not significantly improved since I wrote an article on the subject (“Private data loss recipe for disaster,” 6-25-06) over a year ago.
Perhaps you remember hearing last year about the theft of a laptop computer from the home of a Veterans Administration employee. The laptop contained the private information of 26.5 million US veterans and active duty members. The stolen information was not encrypted or in any way otherwise protected. Now, over a year later, a recent study reported by the widely respected SANS Institute shows that 52 percent of government employees using laptop computers still have not received any data security training. 58 percent of federal workers who are not official telecommuters still work at home, many using their own, less secure computers. 41 percent of those who are not official telecommuters log on to government systems from home.
The local-government and private sector security situation also remains about as bad as it was a year ago. Reports of security breaches, hacked networks, data loss and identity theft keep pouring into my Inbox. One recent report comes from the city of Carson, California. Using a keylogging program (which makes a record of every key that’s pressed on a keyboard) that had “somehow” been installed on the laptop computer of City Treasurer Karen Avilla, cyber-criminals managed to remove $449,000 from city bank accounts before being discovered and shut down.
It’s fair to ask how a keylogger came to be installed on Avilla’s laptop. Avilla admitted to logging into the city’s bank accounts while using her laptop in the field and at home over less-than-secure wireless networks. She also said that she doubted if the laptop “had the latest security software patch protections.”
It’s also fair to ask, will Avilla be penalized for her computer stupidity? Will any Carson City employee be fired, fined or demoted for failing to have enforceable data security policies in place? Probably not, as Avilla’s own words indicate that she is still in denial about the real cause of the problem. According to The Los Angeles Times, Avilla said that the experience “has made her angry and determined to seek legislation that would address the problem.” However, I wonder if she would support legislation calling for her dismissal from office for being such a computer-security idiot?
Until businesses, governments and their employees are held individually accountable for their lackadaisical attitudes towards computer security, nothing will change. People should be fired, fined, demoted, sued or thrown in jail when data breaches occur.
I personally know of a prominent local law firm that has at least six computers on their network running bootlegged copies of Windows XP. As such, these computers cannot be properly secured, turning their entire network into a sitting duck just waiting to be shot down or taken over. I thoroughly explained everything to the firm’s boss almost a year ago, and his actions indicate that he, too, is in denial about the seriousness of the situation. It may take a lawsuit to wake him up. Or, perhaps someone will rat him out to industry anti-piracy groups and collect a big, fat reward.
It’s sad that some people have to be whacked over the head before they will do the right thing; but, if that’s what it takes, then that’s what it takes. If the computer security situation is ever to improve, then the general public needs to get to whacking.