Actually, we was burgled--but it doesn't have the same ring to it, does it?
A couple of weeks ago, the TechRepublic offices were among several in our area that were hit by the classic "person or persons unknown." The thieves got away with a bunch of stuff--including my laptop.
In this column, I'm going to tell you about the break-in and how it forced us to rethink what we mean by security. I'll also fess up to my lamentably pathetic record at best practices for personal document management. This is a classic cautionary tale--read on, and learn from my mistakes.
The phone call you don't want to get
It was late Sunday evening and I was sitting in front of the TV thinking about going to bed when the phone rang.
It was Ted, one of our support technicians. He told me it looked like several laptops had been stolen from our offices. So I drove in to work.
On my way in, I had a selfish thought: Thank God I locked my office door, so they couldn't get mine. I had been in the office most of the day Saturday, trying to catch up, and had left my laptop in the docking station when I left that afternoon.
When I got to the building, I found that a number of people were there, and we walked the halls trying to do a quick inventory before calling the police. Here is what we found:
- Number of potential laptop thefts: 20+
- Number of desktop thefts: 0
This was obviously not good news, but it could have been much worse. They didn't get into our main server room, where we keep our Exchange server and a bunch of mission-critical machines.
While I'm not proud of it, I'll admit to being relieved when I found that my office door was still locked. I got out my key, opened the door, and found...that my laptop was gone as well.
Evidently, the larcenous creeps (notice how it just got personal for me!) somehow jimmied the lock on the door. When we had a locksmith out later in the week, he looked at the door and said, "This is no big deal. You could probably use a narrow, flathead screwdriver and open the door in about fifteen seconds." To which I wanted to reply, what a pity you never mentioned that last year when you came out and installed the lock on my door.
So my laptop was gone, with more than 20 others. Eventually, we went home and got some sleep. It wasn't a great way to start the week.
Fortunately, thanks to some absolutely fantastic work by the TechRepublic support staff, we were able to get all the laptops replaced and every employee back to work by Monday afternoon.I wish I could say I've learned something profound from this incident, but I can't. The sad truth is that the biggest lesson I learned is that I know better. I should have followed the suggestions on security we publish here at TechRepublic on a regular basis.
Here are just some of the things we've written about that I should have remembered:
- Focus on both virtual and physical asset security: Like most online companies, we're pretty careful about firewall vulnerabilities and making sure we have the latest antivirus definitions loaded on our machines. We spend a good deal of time making sure that our remote access and VPN clients are secure and that servers are restricted to those who need access to them. However, I spent a lot more time worrying about how a guy in an apartment in another country could hack into our systems than I did worrying about how someone could actually break into our building after hours and just cart stuff off.
- Pay special attention to laptops: Laptops have always been a security issue--but that's usually been because they're often stolen while the user is traveling. I confess I never gave a second thought to the idea that the laptop's size made it vulnerable to thieves who would break in specifically to grab them out of our office. Otherwise, we would have been more aggressive about requiring folks to take their laptops home at night.
- Back up personal files to the server: How often have you told others to make sure they back up their files to the server so they don't lose all their data should their hard drive go bad? As you might expect, I started strong and finished weak--just like most of us do. When I got to my new laptop and went to my user directory, I found copies of many files from when I first got my laptop, but over time, I stopped backing up to my user share. Overconfident, I guess.