Futile Frameworks
Compliance management and IT governance 'frameworks' make great stories - but don't bet the ranch
May 18, 2007
3:35 PM -- They say doctors make the worst patients. Could the same be true for security vendors?
In the last couple of weeks, Dark Reading has posted stories on three separate incidents in which a company that provides security products and services has been breached itself. What's remarkable is that, in all three cases, they were dumb, unsophisticated breaches – the kinds of mistakes you would expect from companies that know little about IT security.
Wednesday, IBM revealed that one of its contractors had lost several storage tapes containing sensitive employee records. It seems that the tapes in question somehow fell off a truck on its way to a remote storage facility in Westchester County, N.Y. (See Five Security Flaws in IPv6.)
The story would be ho-hum if it didn't involve IBM, one of the world's top sellers of both storage and security products and services. Shouldn't the company that secures and/or backs up data for most of the Fortune 100 know how to handle its backup tapes?
OK, you say, even monkeys fall out of trees. Well, how about the Transportation Security Administration, which last week revealed that it had lost a laptop containing over 100,000 employee records? Here's an organization that handles and scans thousands of laptops every day in airports all over the country. Yet it can't keep a single machine containing thousands of employee records from escaping a location it describes as a "controlled area"? (See TSA Loses 100,000 Employee Records.)
And it doesn't end there. Less than two weeks ago, the SEC reported that Wireless Facilities, a public company that offers wireless security systems and engineering services, was almost fleeced for more than $7.7 million by its former stock options administrator. Seems the company gave the administrator full rights to the stock option software, without putting any checks in place, and he simply routed more than 700,000 shares of stock to his wife's account. (See SEC: WFI Insider Stole $7.7M.)
There's a part of me that's sympathetic to these security companies. After all, they're businesses, too, and all companies have at least a few people who don't care enough to follow proper security procedure.
But the sheer boneheadedness of these particular breaches make a bigger part of me wonder whether I would want to do business with these companies again. When I hear about rats at Taco Bell or poison in my cat's food, I don't buy that stuff anymore, at least for a while. It's human nature – you trust a company to do something, and if they do the opposite, you have to lose at least a little bit of that trust.
If these companies had been hit by some sort of brilliant zero-day attack, that would be one thing. But they weren't. They were breached because somebody in their shops didn't follow the most basic rules of security. They were sloppy, and they got burned for it.
If they were doctors, I'd be looking for a new one right now.
— Tim Wilson, Site Editor, Dark Reading
IBM Corp. (NYSE: IBM)
Wireless Facilities Inc. (Nasdaq: WFII)
You May Also Like