ChoicePoint’s Bad Choice

The Hole | Criminals posing as small-business owners accessed the information—names, addresses and Social Security numbers—of 145,000 ChoicePoint customers.

The Problem | Call it what you will—fraud, "social engineering," the Kevin Mitnick effect—this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering—hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. "We’re always going to find somebody who doesn’t know what they shouldn’t be doing," he says.

The Solution | CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks—especially before they go out and hire a company such as PwC to audit their user base. "[CIOs] should spend their money on a [training] program rather than on testing," Lobel says. ChoicePoint claims that it has strengthened its customer-credentialing procedures and is re-credentialing broad segments of its customer base, including its small-business customers.

Loose Laptops

The Hole | On April 5, MCI said that an MCI financial analyst’s laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees.

The Problem | In many recent cases involving laptops, the computer’s security was handled by a Windows log-on password. "It’s getting easier for even the more casual criminal to find out how to break into the laptop," says Forrester’s Friedlander. "There’s more awareness that the information is valuable." Plus, the data in many of these recent incidents wasn’t encrypted. (MCI won’t say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch.

The Solution | CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who’s connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor’s hands, then the CIO should ensure that encryption was turned on. Users need to understand "why these policies and technologies are in place that may seem inconvenient, but why they do matter," says Friedlander. "If they realize the implications, most people will want to act." If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says.