Drop-in centres provide a treasure trove of inside information

WHILE MUCH of the media and many CIOs/CEOs get hot under the collar about the cloud and BYOD, they appear generally calm about their company using secure mobile phones and virtual private network connections to PCs at business drop-in centres, clubs, hotels and airport lounges. After all, their people have direct and secure access to files on company servers, or some form of drop box, and they have been briefed and trained on security. So what could go wrong?

I was recently in London and had occasion to meet someone in a drop-in facility. It was rather swish with all the latest gadgetry and every facility I required seemed available, including lots of Wi-Fi and LAN bandwidth. As it was early morning and I had a few minutes to spare, I decided to check out their newest machines. Within five clicks, I chanced upon a document that should have been deleted. It was a job application, complete with all company details, employment history, skill set, email and phone numbers.

Another four clicks turned up a resignation letter from an employee of one of the top city players. This prompted me to start searching any available machine by date, topic and application. What I found was both astonishing and worrying. Possibly my biggest hit was the complete drop box of someone working for a large financial trading operation. I have no way of knowing for sure, but it looked to be pretty complete, and included several drafts of their business plans for 2013.

It just got better and better, with one file after another detailing expense accounts, commission calculations, sales figures, customer relationships, projected turnover and sales figures, prospects and ongoing deal negotiations. Probably the prize item was a pending merger and acquisition proposal complete with figures and five-year projections. This treasure trove of inside information seemed endless and increasingly wide and deep.

After about 30 minutes of probing, my meeting started and I had to leave this voyage of discovery with an image of the CIO/CEOs of these companies resting on the sure knowledge that they had a strong firewall, the latest malware protection and secure VPN access for all their senior people and road warriors. And I must admit I was left pondering the apparently limitless opportunities to be bad. Just imagine what you could do with these figures, plans and M&A knowledge. This seemed to be a dream come true for an inside trader or blackmailer.

For anyone reading this and recognising these descriptions, there is good news: I am not an inside trader or blackmailer. The bad news is that someone else might have stumbled across all this, and that person might not be so honest. Some of the material had been created on these machines within days of them being installed, while other items had been downloaded for reading and/or editing, checking, additions and approval.

After my meeting, I found myself with a dilemma: do I go back and delete all these files, or do I do nothing? I might be right or wrong, but it seemed to me that deleting someone’s files without warning should not be my course. So I decided to do two things: first, to write this column and advertise this laxity of corporate behaviour, and second, to write to the CEO of the drop-in centre to suggest the implementation of a (with advertised warning) nightly ‘delete all files’ routine as well as a ‘secure vault’ facility.

My third suggestion would add even more value: All FDs need to push for automatic encryption of important company files when used by their road warriors and managers. When people travel IT-light, they will need a PC, and we should assume that they will make mistakes, become lax, and leave a trail of data as they traverse the planet. In short, a VPN guarantees nothing and security training is quickly forgotten, but automation is far less likely to let you down.

Peter Cochrane is an IT consultant and former chief technologist at BT