A Coup and a Theft: Why MSPs Can’t Let Clients Get Lax About USB Security
As MSPs responsible for securing clients’ data and systems against all threats great and small, the humble USB drive can be just as dangerous as the most sophisticated cyberattack. Clients may have a hard time imagining just two inches of metal and plastic destroying their businesses, but that potential is absolutely real nevertheless.
If a client of yours is less than serious about the need for USB security or trying to cut corners on your recommended safeguards, I have a couple of cautionary true tales you can tell them.
The Mortgage Company Coup
This first story concerns a long-term client of ours, a mortgage company with about 150 employees. We’ve worked together nearly 10 years, since the days when MSP-provided security was much more a list of à la carte options chosen by the client. In our current and more enlightened era, I advise MSPs to avoid working with any client that demands bargains instead of accepting your comprehensive security strategy. The consequences of a breach can be ruinous to you both; it’s just not worth it anymore (if it ever was). In this client’s defense (literally), it opted for a nearly full slate of security safeguards, only saying “enough is enough” when it came to USB protection.
It happened that the owner was ready to sell the company. With an offer on the table, the owner told the company’s managers the news. This prompted one of those employees – call it a coup – to start recruiting others to leave and start their own company. To make sure that new company could hit the ground running, this employee also decided to take all the data they would need.
If you think about what goes into a mortgage file, you have payroll stubs, tax returns, medical military records, etc. Basically, you have customers’ whole life stories. Home buyers meet with a mortgage company for an hour and hand over every important document in their lives. It’s highly sensitive data, and certainly unnerving to customers that an employee could steal it all for their own nefarious purposes.
The employee began copying huge amounts of data to an unsecure USB drive. He bypassed security measures and controls the company had in place, such as a firewall and web filtering, by using a purchased VPN product. However, he happened to call in for support for something else during this process. One of my technicians saw the peculiar data transfer. He alerted me, and we let the owner know what was going on. The owner investigated and later found out that the rogue employee was actively recruiting three-dozen other employees.
The owner had us go in and document the files stolen and nab a screenshot of the USB file transfer. When we did, we learned that this employee thought the VPN made him invincible: he was browsing pornography on his other screen while the transfer was happening. Ultimately, the owner didn’t sell the company, because this incident blew up the deal. The employee got away with the stolen data and went to a competitor. The whole case is now in court, where that last aspect with the … adult … browsing is perhaps adding some levity to the proceedings.
The Engineering Company Schematics (and the School of Hard Knocks)
In another client story involving an engineering company, a couple of employees left the firm, but not before taking sensitive data copied to a USB drive along with them. These engineers proceeded to start their own business, enabled by this stolen data. The new company’s website prominently displayed drawings that those employees had worked on under their previous employer, a fact that our client was quick to notice.
Even the most prudent and security-oriented clients often have a blind spot for …
- Page 1
- Page 2