Last Friday, Coca-Cola revealed it had recovered 55 stolen laptops taken over a six-year period by an employee who happened to be responsible for the disposal of the equipment. The breach affected 70,000 current and former North American employees.
Headlines around the world read “Coca-Cola suffers data breach after employee ‘borrows’ 55 laptops.”
Coca-Cola is famous for security safeguards. It has kept the secret formula of Coke safe for more than a century.
How could a trusted insider get away with stealing so much equipment for so long? The answer is simple: Inadequate security controls around Coca-Cola’s IT asset disposition process.
Coke, like every large organization, constantly replaces outdated laptops, computers, servers, and countless other types of electronic devices. Because retired equipment still contains sensitive data, organization must have adequate safeguards for the entire process of IT asset disposition (ITAD).
As this breach revealed, ITAD is full of hidden hazards. Without adequate controls, employee theft and recycler fraud can go undetected. “Safeguard” is a synonym for countermeasure…in security-speak, this means internal control. There are two basic types of internal control: preventive and detective.
A lock on a door of the vault in the Coca-Cola corporate museum is an example of a preventive control. An alarm system on the vault door would be considered a detective control.
Coke may have had detective controls in place. However, they were adequate. They overlooked an essential aspect. A critical aspect of detective control is separation-of-duties. It appears Coke let the fox watch the hen house.
Organizations must minimize conflicts that create opportunities for theft and fraud. Security incidents go undetected when an organization relies on employees to self-report incidents. Naturally, employees tend to report self-serving interpretations, especially when facts could make them look bad (or they are stealing the equipment).
Without adequate detective controls, Coke executives were blind to the security incidents for years – a victim of trusting too much.
Senior management needs to be non-credulous when it comes to ITAD. Trust, but verify.