Subscribe to RSS - gun


$1 billion lost from information stored on a single thumb drive

Monday, June 6, 2011

Protecting a company's assets is getting far more complicated. Physical security professionals have to worry about much more than protecting physical assets, they also have a critical role in protecting electronic assets as well. I just read an interesting article from CNN about the cost of cybercrime. Here's the gist:

A few years ago a disgruntled employee for a large multinational automotive firm left the company -- but when he walked out the door, he also walked out with plans for a new car model under development on a cheap USB drive.

When the plans were leaked, the cost to the company was an estimated $1 billion in lost sales and increased research and development costs.

Yep, you read that right: $1,000,000,000. All on a single thumb drive.

When Wikileaks story came out, I talked to several security professionals about the role of physical security practitioners in this increasingly IT world in this SDN article.

“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” said Steve Salinas, product marketing manager of the forensic business unit for Guidance Software, a provider of digital investigations.

And security professionals must remain vigilant about employee behavior. Is someone coming in on weekends when they've never done that? Is an employee exhibiting strange behavior? Strong collaboration throughout an organization is really the key. Human resources needs to talk to security about possible "disgruntled" employees and security needs to talk to IT about it, too. Is there a correlation between their physical behavior and their electronic behavior?

Policy is also important. In this same SDN article, Jon Oltsik, principal analyst for Enterprise Strategy Group, a full-service IT analyst and business strategy firm, said companies should use the principle of least privileges, meaning only those who need access to certain information have it, but those who don’t need it, don’t have access. Here's more:

It’s also important for a company to limit the number of people who have access to critical information. Then, once those privileges are determined, organizations should monitor what employees are doing with the information. Are they saving information to laptops unnecessarily? Are they transferring information to thumb drives? It’s also important to set up controls. For example, a company should set up controls that employees can’t email certain types of files to email addresses outside of the company or only approved USB drives can be inserted and used to transfer information on company computers.

Does your company have these types of controls in place?

Physical security and IT folks will be mingling at ASIS

Thursday, February 24, 2011

Just last week, I wrote about the convergence between IT and physical security after Gareth Webley, the keynote speaker at TechSec Solutions, discussed his effort to consolidate security and IT during his tenure as the chief security officer of National City Corporation.

Well, apparently everyone wants to jump on board. I just received a press release from ASIS International announcing that this year's conference in Orlando (Sept. 19-22) will co-locate with (ISC)², a large membership body of certified information security professionals. (ISC)² (not to be confused with ISC West and ISC Solutions) will hold their first annual Security Congress in conjunction with ASIS International. According to the release, the two associations will share educational programming, which I think could be great for security practitioners who may feel intimidated by IT folks and their techie talk.

Why did ASIS make this move? Here's what Ray O'Hara, the president of ASIS, has to say:
“This agreement reflects the rapidly evolving, converging roles of the information security and traditional security professionals within the global business marketplace,” stated O’Hara. “By strategically aligning our organizational resources, our combined memberships of more than 100,000 professionals gain access to core knowledge and best practices across the full spectrum of information and traditional security. The opportunity to connect with one’s security counterpart and to build a solid practitioner network is one of the most valuable benefits to be derived from this relationship.”

It seems fair to say that the more physical security practitioners know about the world of IT, the more valuable they will be to their respective organizations. I'll be leaving room on my schedule to check out some of these educational programs - you should, too.

'Guns and alcohol are not a good mix'


COLUMBUS, Ohio—The Ohio Senate on May 27 passed legislation that would allow conceal-carry permit owners to carry their firearms into establishments that serve alcohol. Ohio Senate Bill 239 was approved 23-10 and now heads to the Ohio House for a vote.