Last week, Coca-Cola revealed it had 55 laptops stolen over a six-year period by an employee who happened to be responsible for the disposal of the equipment. Inadequate security controls enabled a trusted insider get away with stealing so much equipment for so long.
Here are seven steps that Coca-Cola should take in order to prevent a similar breach from occurring again.
- Treat Disposal as an Inevitable Incident
- Realize Encryption is Not a Silver Bullet
- Outsource Inventory Reconciliation
- Use Disposal Tags
- Destroy Data Before a Move
- Don’t Let the Fox Watch the Hen House
- Remember to Test Controls
Coca-Cola is famous for security safeguards, but these steps are not obvious. Since every organization is at risk, let’s look at each in more detail.
Consider Every Disposal Project an Inevitable Incident
Privacy laws mandate that an organization detect data security incidents and disclose breaches. The theft of an IT asset can result in headline-grabbing news.
Thankfully, not every asset is stolen during its lifecycle. But at some point, every asset will be retired. The moment an asset is taken off the network, or is decommissioned, it becomes more vulnerable to theft. Because of the potential for release of protected information, it is wise to consider every IT asset disposition (ITAD) project as if it were an inevitable security incident.
Today, most large businesses rely on expert assistance with ITAD. Frequently, retired assets are transported to vendor facilities to be processed and sanitized.
During this process, security incidents occur at three different points; before an asset is shipped, during transit, and at the disposal vendor.
Regardless of the specific process an organization uses for ITAD, if an actual security incident were to occur, the subsequent investigation would examine two types of evidence: Chain-of-custody and data destruction.
Whenever an incident occurs, an obligation is created to prove there was not a breach. Evidence of data destruction and/or chain-of-custody is required to prove an ITAD incident was not a breach.
Considering each ITAD project an incident, and requiring compelling evidence for an investigation, is a valuable exercise. It will ensure the organization adopts adequate safeguards to prevent and detect an actual privacy breach.
Recognize that Encryption is Not a Silver Bullet
Today, it is foolish not to encrypt laptops and other mobile assets. However, it is equally as important to recognize that encryption is not sufficient for successful ITAD.
First, organizations retire more than laptops. ITAD involves computers, servers, printers, networking gear, display units, and countless other types of electronic assets for which encryption is not always possible or practical.
Second, encryption does not eliminate the need to detect and investigate incidents. When a data-bearing asset is shipped to a vendor, there is a real possibility that asset could be lost or stolen in-transit. If an asset goes missing, it is a security incident, regardless of encryption.
Whenever an incident occurs, there must be convincing evidence showing the missing asset could not contain recoverable data. This is why encryption can be very helpful. Evidence of encryption can keep an incident from becoming a breach. Encryption cannot stop an incident from occurring.
Outsource Inventory Reconciliation
Until you prove a disposal vendor has an asset, you are responsible for it. Unless you prove it, your organization is exposed. If no evidence exists to positively prove an asset was indeed received by a vendor, that asset must be presumed lost or stolen.
Proof of possession requires chain-of-custody evidence. The most common method used to track asset custody is reconciling disposal inventories by matching manufacturer serial number. Easier said than done.
If someone can steal 55 laptops over six years, Coca-Cola was not reconciling, or the method was flawed.
Today, the mundane task of reconciling belongs to the IT asset manager. This exercise goes unobserved and unappreciated. When a costly breach occurs, chain-of-custody suddenly becomes critical. The unappreciated instantly becomes indispensable. And the exact methodology used to reconcile gets scrutinized under a legal microscope.
Manually matching serial numbers is inefficient. Spreadsheet reconciliation is time-consuming and tedious. Moreover, the results of manually reconciling can be subjective and impossible for someone else to verify, without redoing the entire thing. And if something gets missed, it’s all on you.
A far better approach is to outsource reconciliation to an independent 3rd party that provides automated rules-based reconciliation. Outsourcing ensures objectivity and eliminates conflicts-of-interest.
Reconciling inventories is not sexy, but it is critical for governance, risk, and compliance. Unless inventory reconciliation is a core capability of your organization, and measures are taken to ensure objectivity, it is wise to let the pros do it for you.
Use Disposal Tags
Matching manufacturer serial numbers is not only inefficient, it is also terribly ineffective. To achieve any success with serial number matching requires accurate and complete disposal inventories – something very few organizations have. It also requires the vendor capture correctly asset identifies. Again, something difficult to achieve.
On average, 40% of inventories captured by disposal vendors contain errors (e.g. duplicates, missing or incomplete identifiers, etc.). Both employees and vendors make mistakes, which is why fewer than 50% of serial numbers are successfully matched.
In an effort to “improve” tracking results, organizations often take a dangerous shortcut. It is common practice to share serial numbers with disposal vendors. In turn, vendors are then asked to verify the list. Sharing serial numbers with a vendor is like a teacher giving answers to a student. Teachers don’t give answers to students for a reason.
Disposal tags provide a far more effective way to track assets and prove chain-of-custody. Bar-coded disposal tags easily increase tracking to 98%, or higher.
Equally as important, disposal tags deter employee theft – something pertinent to Coca-Cola incident.
Destroy Data Before Any Move
The simple fact is 99% of ITAD problems happen before a vendor touches the equipment. Employee theft is a common occurrence. There is an expression in the industry: Laptops have legs.
Working with a certified electronics recyclers is essential, but like encryption, it is not a silver bullet. Unfortunately, no vendor can sanitize a hard drive inside a laptop it never receives.
Misleading marketing claims by disposal vendors give uninformed organizations a false sense of security. Vendors claim they accept “full responsibility” for equipment and data security at the point of pickup. Sadly, that is not truthful. A close examination of the facts shows the dubious nature of these claims.
First, if an asset is lost or stolen in transit, liability is capped by federal law. The Carmack Amendment allows carriers to limit their liability, regardless of how valuable it might be. If an asset is stolen in transit, don’t expect to receive more than pennies on the pound unless a vendor feels charitable.
Second, if an incident happens after equipment is received, any remuneration would be limited by the contract (typically one million dollars). There has never been a case where a disposal vendor paid out for a privacy breach. I supposed it could happen, so let’s assume you could collect. Any value recovered would not come close to compensating for all the damages associate with a privacy breach.
Without a doubt, it is wise to require a disposal vendor to destroy data. Most are very good at it. But this activity should be considered a secondary security measure.
Relying solely on a disposal vendor for data destruction is dangerous. It is akin to believing a motorcycle helmet can save you from a crash. A helmet ensures you have an open casket, but you are still dead.
Don’t Let the Fox Watch the Hen House
A critical aspect of every major data security law is to minimize segregation of duties conflicts that create opportunities for theft and fraud. The focus to-date has been on access privileges; but as we see with the incident at Coke, inherent conflicts-of-interest exist with ITAD programs as well.
The sad fact is that some IT professionals seem to secretly wage an assault on chain-of-custody control. Their primary complaint is that implementing proper procedures would result in more work for their already stretched staff.
Many IT professionals do not want the added responsibility of asset management. Some also have a perverse incentive to avoid detection because they could be exposed for actually benefiting from this security gap. It is IT pros who are most often the direct beneficiary of “borrowed” assets.
When an organization implements a process to independently verify chain-of-custody, there is accountability. Losses can’t be swept under the rug. Employees can no longer take equipment without detection, nor can they claim they didn’t know equipment went missing.
Test Security Controls
The term “safeguard” is a synonym for countermeasure. In security-speak, this means internal control. There are two basic types of internal control: preventive and detective.
An example of a preventive control is the lock on the vault that contains Coke’s secret formula. The alarm on the vault door would be a detective control.
Effective security involves testing controls. Trusting an alarm works without testing is just asking for trouble. Public service messages remind us to change batteries in our smoke alarms every six months. It is prudent to push the “test” button, too.
Successful ITAD demands several safeguards. Discussing each one in detail is beyond the scope of this post. Since the Coca-Cola incident was the result of two major control failures, we’ll focus on those two.
At Coke, there was a failure to detect an employee “borrowing” assets for six years. There was also a failure to verify that all laptops were encrypted as required by corporate policy.
As discuss above, detecting a missing asset requires a robust reconciliation process. A very simple, very effective test of this control is to include a fictitious asset on every disposal inventory. Just make one up.
When an independent reconciliation is performed, this dummy asset should get flagged as missing or untracked. You have a major problem if the vendor reports that it received the fictitious asset. The student cheated on the test (and they didn’t realize they had the wrong answers).
Also discussed above is how encryption can keep an incident from raising to the level of breach. Coke had a policy of encryption. Unfortunately, this policy blinded managers to the risk of insider theft. For a policy to be effective, it too needs controls.
A very simple, very effective control is to verify data is secured or destroyed on all assets prior to disposal. Disposal inventory typically include basic information about retired assets (e.g. make, model, serial number). Disposal inventories should also include evidence of encryption and/or proof of data sanitization. Require each asset record also have notes detailing exactly how the data is secure or destroyed (e.g. an erasure report ID).
You must be confident an alarm will sound when you need it. Testing is easy. Trusting means trouble.
IT asset disposition is the weakest link in data security. When evaluating sufficiency of their ITAD policies and procedures, organizations must be mindful of potential administrative fines, remediation expenses, and the possibility of punitive privacy class action litigation. By following the seven steps outlined above, organizations can prevent costly ITAD breaches from occurring.