Physical Security is defined as the protection of hardware, software, personnel, data, and networks from physical actions, inactions, and events which have the capability of causing loss
or damage to an institution, agency or enterprise. This is the protection from fire, flood, theft, burglary, vandalism, natural disasters, and terrorism.
Recently, giant non-alcoholic beverage manufacturer, Coca-Cola admitted to a data breach. This came after an employee had stolen dozens of laptops over a span of five years. The stolen laptops contained sensitive data for 74,000 individuals and went unnoticed. The 55 laptops got lost from Coca-Cola’s Atlanta offices; some of which belonged to a bottling company which had been acquired by Coca-Cola as recently as 2010. The culprit employee was in charge of equipment disposal (Dunn, 2014). This stands out as a classic example of a physical security breach, and even so because it affected a giant company of Coca-Cola’s magnitude and stature. First, laptops (hardware) were stolen, and secondly, employee data landed into wrong hands.
Coca-Cola did not realize that the laptops contained personal information until when they were recovered in November and December 2013. In totality, the laptops carried 18,000 personal records which had with them social security numbers, and in addition to that, 56,000 records of other types of sensitive data. The failure in Coca-Cola’s end was its failure to encrypt the records even when the company’s security policy claims that encryption is necessary. I, would, in my opinion, suggest that asset disposition seems like the weakest link in data security. Insider theft in large companies goes unnoticed by the organizations and recyclers in most cases because the companies rely on their employees to self-report incidents. Coca-Cola incident was a clear case of negligence on the fundamental lack of physical security control surrounding the IT asset disposition process.
For this particular scenario, two incidences took place. One, laptops were stolen, and two, people’s sensitive data was accessed. If Coca-Cola was to ensure that laptops never got lost from its offices, it ought to have ensured the proper physical security of all working laptops. This can be made possible through keeping the laptops locked up securely before whoever attends to the laptop steps away or lock up in something permanent. It was also important to maintain current logs of all laptops, their models, as well as their serial numbers and in a secure location (Perdikaris, 2014). The list of all faulty laptops should have been included since this would have indicated if indeed the ones the said employer was going to dispose of were faulty or not. This helps in sorting out the laptops in good condition and those which are passed for disposition. Also, rooms, where the laptops are kept, should also have had extra physical security measures like biometric finger scanners so that such rooms are accessed by authorized individuals.
The second security breach happened with the laptops which were stolen for alleged disposition from where sensitive data of employees was accessed. This indicates that personal information of the workers was not encrypted (Beaudet, 2010). Coca-Cola company should have encrypted the information to secure confidential data which was stored in the laptops. This ensures there is an extra layer of protection of private information. In the same breath, it should have been important to wipe all the data from the laptops before they were taken out for disposal. Over and above encryption of data and erasing data, it would have been worth for Coca-Cola to have been performing ongoing risk assessments so that it identifies security threats and its level of preparedness. Holding employee-training sessions where security measures are outlined and penalties for non-compliance communicated. This training would have assisted the employee thief with a sense of responsibility and knowledge that he would ultimately pay for his/her action (Alexander, 2008)
References
Alexander, P. (2008). Information Security: A Manager’s Guide to Thwarting Data Thieves and Hackers: A Manager’s Guide to Thwarting Data Thieves and Hackers. ABC-CLIO.
Beaudet, R. J. (2010). Civil Division¿s Laptop Computer Encryption Program and Practices. DIANE Publishing.
Dunn, J. E. (2014). Coca-Cola suffers data breach after employee ‘borrows’ 55 laptops. TechWorld, 12-13.
Perdikaris, J. (2014). Physical Security and Environmental Protection. CRC Press.
