Saturday, May 31, 2008
Does that headline get your attention? Computer World has published an article in their online magazine about random computer searches conducted at our borders. Lawyers have taken the fight that this violates peoples rights and circuit courts are holding that border agencies do have the right to search the laptops of any travelers crossing the boarder. Does this really raise an alarm within the security community, or is the article based on fears of privacy invasions?
I’ll leave the last part of question for the courts, and gladly use the article as a good training resource for security managers and executives. The first implication is that this activity should not be surprising. Anytime an employee travels abroad, they SHOULD expect to be liberated from your computer at the host country’s customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute security specialists plan.
As with all bad news (hopefully this is not news to you) the best place to begin change is by facing the facts. Other people want your information. Now that that's out, security professionals have the task of making the information very difficult to get. However, we spend too many resources on actions that don’t address the real threat. For example physical security efforts may focus on fortifying businesses with barriers, alarms, access control, cameras and etc. One would think that the threat is foreign agents breaking in to physical locations to steal secrets and technology. Good luck finding a news source reporting that kind of crime. Risk assessments indicate that technology is leaked through careless or malicious employee behavior.
Develop a culture within your company to affect the right behavior or at least prevent unauthorized disclosure of economic, classified or sensitive information. Destroy waste properly, lock all desk and cabinets drawers after work, and use access control to keep employees, vendors and janitors from accessing unauthorized areas.
Now, back to the borders. Employees having computers searched by US Customs means one thing…they are returning from overseas travel. The biggest question should address what was taken overseas and who else had access. The least of the problems is the news that U.S. Government Agencies are accessing computers.
So, what can we do? Prior to employee travel anywhere, download company information or prepare special travel computers with only the information they need to conduct business at hand (make sure the information is authorized by license or agreement with the State Department or Commerce Department to prevent an exports violation).
Hopefully this article has addressed how to focus security resources. Know the facts, gather information and address the real threats. Constructing a fortress won’t protect your information if it’s being thrown out with the garbage. Computer World has made a good report, however the security manager should recognize that the only way U.S. Customs searches is because we are either leaving or entering the U.S. If this event is causing concern, then we must have been asleep during the advent of international business travel.