The thief, his victim and her company laptop
NOT LONG ago a story was posted on the Bank of America Merrill Lynch staff website with the headline, “The associate, the burglar and the secured laptop”. It told of an employee who had returned from a family outing to find that her house had been broken into, and all three family laptops pinched.
Luckily, however, the thieves did not get their hands on her company laptop, as she had taken the precaution of attaching it with a security cable to the leg of a heavy piece of furniture.
The woman – I shall call her Ruth – was quoted as saying: “It was bad enough being robbed, but at least I had one less thing to worry about and that was dealing with a lost company laptop”.
The story goes on admiringly: “[Ruth’s] experience is a timely reminder to associates who work from home or leave laptops in the house unattended to lock them with a bank-supplied cable at all times.”
For my money, Ruth’s experience is a timely reminder of nothing of the sort. Instead, it reminds me of three other things: the sinister side of corporate life, the futility of all office security measures and the fact that there are very few corporate secrets worth making such a song and dance about anyway.
First, though, the canonising of Ruth on the strength of her diligence with a metal cord leaves one feeling a bit uncomfortable. It makes me think of those comrades in the Soviet Union who were made heroes for small acts showing how they put communism before their families.
Why, one wonders, did Ruth feel the need to attach the work computer to the leg of a grand piano but not the family computers – which actually belonged to her and presumably had photos and music and homework on them that would be most annoying to lose?
The story also tells us what a muddle companies get into when they start thinking about security.
A cable is not going to stop someone who wants the information on a laptop getting it anyway. The thieves who broke into Ruth’s house could have copied everything on to a disk before they scarpered. Or they could have found the information on the cloud.
The fuss over security suggests that there is a great prize for theft of company data. But is there really?
If someone were to break into my house now and seize my company laptop I would be amazed if they were to find anything terribly interesting. If they could get through the various passwords (that are now so complicated with their mixture of numbers, upper and lower case and punctuation that I can hardly remember them myself), they would have a sneak preview of a couple of half-baked columns I am working on. They might find a couple of gossipy messages. But there would be absolutely nothing that would give a rival a competitive advantage.
I bet the stuff on Ruth’s computer is fantastically boring too. There are only two things that might be worth stealing. The first is customer account details – but one assumes that sort of stuff is encrypted anyway. The second would be if it showed that Ruth or anyone else in the bank was up to anything dodgy. But in that case the answer would not be to lock up laptops, but to stop doing dodgy things.
Businesses that are doing things right have little to fear from their secrets getting out. There is no magic ingredient of success that can be found on a nicked laptop. Success is a complicated formula and cannot be easily stolen.
According to the Federal Bureau of Investigation, one million laptops were stolen in the US last year. Presumably, a lot of them were company laptops. And how much bad stuff happened as a result?
The only problem with losing stuff is not that harm is done, it is that people fear that harm will be done and the loss does not look pretty in the papers. When a UK government department carelessly threw away a CD containing lots of names all hell broke lose, even though the only thing that was really lost was face.
You may be wondering how I came to hear the story of Ruth, the burglar and the secured laptop.
I didn’t steal anyone’s computer. I didn’t hack into anything.
Instead, an employee, amused at the bank’s 1984 management style, set up a fake e-mail address and sent the page to me. No security cable would have prevented that.
The way to protect your secrets is to conduct your business in a perfectly reasonable way so that they can be of no conceivable interest to anyone. – Copyright The Financial Times Limited 2010