WHILE MUCH of the media and many CIOs/CEOs get hot under the collar about the cloud and BYOD, they appear generally calm about their company using secure mobile phones and virtual private network connections to PCs at business drop-in centres, clubs, hotels and airport lounges. After all, their people have direct and secure access to files on company servers, or some form of drop box, and they have been briefed and trained on security. So what could go wrong?
I was recently in London and had occasion to meet someone in a drop-in facility. It was rather swish with all the latest gadgetry and every facility I required seemed available, including lots of Wi-Fi and LAN bandwidth. As it was early morning and I had a few minutes to spare, I decided to check out their newest machines. Within five clicks, I chanced upon a document that should have been deleted. It was a job application, complete with all company details, employment history, skill set, email and phone numbers.
Another four clicks turned up a resignation letter from an employee of one of the top city players. This prompted me to start searching any available machine by date, topic and application. What I found was both astonishing and worrying. Possibly my biggest hit was the complete drop box of someone working for a large financial trading operation. I have no way of knowing for sure, but it looked to be pretty complete, and included several drafts of their business plans for 2013.
It just got better and better, with one file after another detailing expense accounts, commission calculations, sales figures, customer relationships, projected turnover and sales figures, prospects and ongoing deal negotiations. Probably the prize item was a pending merger and acquisition proposal complete with figures and five-year projections. This treasure trove of inside information seemed endless and increasingly wide and deep.
After about 30 minutes of probing, my meeting started and I had to leave this voyage of discovery with an image of the CIO/CEOs of these companies resting on the sure knowledge that they had a strong firewall, the latest malware protection and secure VPN access for all their senior people and road warriors. And I must admit I was left pondering the apparently limitless opportunities to be bad. Just imagine what you could do with these figures, plans and M&A knowledge. This seemed to be a dream come true for an inside trader or blackmailer.
For anyone reading this and recognising these descriptions, there is good news: I am not an inside trader or blackmailer. The bad news is that someone else might have stumbled across all this, and that person might not be so honest. Some of the material had been created on these machines within days of them being installed, while other items had been downloaded for reading and/or editing, checking, additions and approval.
After my meeting, I found myself with a dilemma: do I go back and delete all these files, or do I do nothing? I might be right or wrong, but it seemed to me that deleting someone’s files without warning should not be my course. So I decided to do two things: first, to write this column and advertise this laxity of corporate behaviour, and second, to write to the CEO of the drop-in centre to suggest the implementation of a (with advertised warning) nightly ‘delete all files’ routine as well as a ‘secure vault’ facility.
My third suggestion would add even more value: All FDs need to push for automatic encryption of important company files when used by their road warriors and managers. When people travel IT-light, they will need a PC, and we should assume that they will make mistakes, become lax, and leave a trail of data as they traverse the planet. In short, a VPN guarantees nothing and security training is quickly forgotten, but automation is far less likely to let you down.
Peter Cochrane is an IT consultant and former chief technologist at BT
Welcome to our new video series, where we ask top-hitting financial directors and CFOs the big questions on the year ahead. This week: Andrew Bonfield, CFO of the National Grid and chair of The 100 Group, discusses cyber risk
David Williams, CFO of Tungsten Network, outlines what CFOs need to know about digital disruption, and how they can outwit the robots
The latest trends in B2B payments indicate that cheques still dominate the market. But technology continues to march forward and new B2B ... read more
No organisation, regardless of market cap, is immune from hacks. Expert, Paul Holland, explains how to take action before it happens