Information Security
I'd like to start by thanking you for taking the time to read this article. While we routinely deliver the substance of this topic to our clients, not enough people see it. Hopefully you and your firm will reap the benefits of awareness.
Information security addresses the need to store and convey confidential or proprietary information in a secure manner and protect it from the prying eyes and ears of competitors. Its greatest application is in the business world. The examples used here are mainly the result of our work with the oil, brokerage, and legal communities in Western Canada.
Information loss can occur in a variety of ways, but typically is the result of either unsecured storage of sensitive information or transmitting it over unsecured communication links.
We've lost count of the number of times that we've found drilling reports or financial data disks on our client's desks after hours, or computers left logged onto the network. Anyone with legitimate access to the office can copy or steal the information. Legitimate access can come in various forms from the under-paid security guard or building cleaner, to the maintenance person. In these trying economic times, there are many under-employed people who are computer literate.
While drilling superintendents, members of the legal profession, and others are acutely aware of the high cost of information loss, they occasionally lose sight of the over-riding need to place a higher priority on security than speed. The result of haste is often loss of bargaining position, increased costs, or the loss of a land sale purchase when sensitive information falls into the hands of a competitor.
Common examples of unsecured communication links are drilling results faxed or conveyed by voice over Aurora (cellular 400) radio systems, discussion of sensitive information over cellular 800 telephones, and the increased use of facsimile machines.
Any wireless medium is essentially a radio station broadcasting the conversation. The range can be a few blocks in the case of a cordless phone, to dozens of kilometers in the case of cellular 400 and 800 phones. Scanners capable of monitoring wireless conversations are readily available from electronic stores such as Radio Shack. While these scanners are unable to determine the originating number, there are generally enough clues in the context of the conversation to identify at least one of the participants. More sophisticated cellular monitoring equipment is available that will literally allow an eavesdropper to enter a cellular telephone number in a software program, and capture only those calls into or out of that specific cell phone. Scary stuff!
Fax machines are a further prime source of information leaks. They are often the target of commercial espionage, since they are a concentrated source of important information that must be conveyed quickly. They use ordinary telephone lines and are easily wiretapped. It is a simple matter to tape record fax transmissions or directly connect a fax modem and capture incoming and outgoing faxes on a PC.
The growing use of electronic mail (email) sent via networks such as the Internet opens up a whole new field of abuse. It is completely unsecured. Transmitting email without the use of encryption is the equivalent of publishing it in your daily newspaper. The message can take any number of paths between you and the recipient, and can be monitored at any point along the way, whether for gain or just plain curiosity. No current legislation protects users of email.
Both hardware and software solutions are available to encrypt sensitive voice, fax/data, and email communications, and render them meaningless to eavesdroppers. Unfortunately deploying these defenses forces those targeting your information to use even more invasive methods to obtain it. That's a topic for another occasion.
(Bill Fischer is a Communications Specialist and a member of the American Society for Industrial Security (ASIS). He operates Electronic Countermeasures Inc., a Security Management and Consulting Corporation, based in Calgary, Alberta, Canada. He can be contacted by telephone at (403) 233-0644 or by email sent to eci@shaw.ca, or by visiting ECI's website at eci-canada.ca)