Data Security Basics for the Private Investigator
- November 17, 2010
- by Jeff Kimble
How's this for a bad day at the office: You've worked your heart out for years building your small private investigator agency. The business has grown to include yourself, your partner, a full-time secretary, and a few part-time operatives to help out with the more complicated cases. Nothing fancy yet, but you have big plans. You've survived the first three years, actually made a modest profit, and you've managed to keep afloat in the worst economic downturn since the Great Depression.
You arrive at work Monday morning, park your car, and walk to your building with the usual thoughts of cases, clients, bills, etc., floating hazily through your mind. As you step through the front door, you're snapped to frantic alertness by your secretary, who is crying openly about missing files, a stolen laptop, and what essentially amounts to a devastating tsunami in the cyber world: a data breach. Your heart sinks, and you face the possibility that your business may now be sunk as well.
It's a disturbing fact that within the last five years alone, over a half a billion sensitive data records, the majority of which included Social Security numbers and credit card information, were breached in this country, and nearly a quarter of those breaches occurred in small businesses. The final kick in the groin is that approximately three-quarters of those small businesses went bankrupt either directly or indirectly due to the experience. Ouch.
But don't board up the office and start selling your precious bodily fluids to put food on the table just yet. There is hope for the small private investigative agency to secure its parapets, reinforce its ramparts, and generally keep the data-thieving barbarians at bay without sacrificing an arm and a leg in the process. Here are a few pointers to get things on the right track:
Figure Out What You Got and Where You Got It.
Make a list of where the sensitive information is, who has access to it, and what's the most important and least important, as in "if this were stolen, we'd be screwed, but if this got snatched, no one would care." Prioritize and categorize. What's on the laptops? What's in the main office computers? The exterior hard drives? The USB storage devices? The file cabinets? The boxes of documents that you should have shredded years ago but just stuck in the basement to get them out of the way? Write it all down and organize it in a way that gives you the full picture of your vulnerabilities and strengths in terms of what someone could get and how could they get it, e.g., over the Internet, through a window, via grand theft auto, or by seducing your secretary. Once you've got the facts down on paper, you can begin planning your defense.
Create a Solid Company Policy on Data Transport, Storage, and Personal Use.
FACEBOOK! Need I say more? Tighten the lid on all data in and out of the office and do so by making it clear to your employees exactly what you expect of them. You'd be surprised, or you may not if you're a working P.I. what spills out of office doors through social networking and the like. Corral all those loose USB storage devices that you listed on paper that are currently floating around in purses, pockets, and laptop cases. Find out whats on them, who uses them, and what their physical proximity is at any given time. Inventory them, decide how you want your employees to treat them (do they go home at night, get locked in the safe, or what?). Drill hacker defense tactics into your subordinates as if you were General Patton: If your computer ever appears compromised, yank all the plugs like s**t through a goose! (I actually heard of a secretary trying to reach her boss on the phone for half an hour in order to tell him that the main computer was acting funny. Meanwhile, the hackers drained every ounce of information via a corrupted Internet connection while she sat there doing her nails.)
Upgrade everyone's computer security software to the best you can afford. Increase password complexity and discourage employees from writing them down. Limit or forbid Internet use on certain extra-sensitive computers. Limit or forbid the take-home computers and the information on them. Insist that take-homes be transported in a locked trunk and that any sensitive information in them is encrypted. Forbid all employees from receiving or transmitting company info over public Wi-Fi hotspots. Shred sensitive printed documents destined for disposal ASAP, and be sure to use a diamond cross-cut shredder. If you really want to do the Liddy/Magruder Midnight Shuffle the superlative way, burn them too.
Completely destroy, not just erase, all decommissioned computer hard drives. Never let an employee sell or discard a PC/laptop that was used for agency work even if it was their own personal property. Make it part of your pre-employment agreement. Give that old computer a taste of Office Space stress-relief in an open field with a baseball bat to make sure sensitive information permanently stored on the hard drive is completely obliterated and can therefore never fall into the wrong hands. If that seems too unprofessional and/or politically incorrect, turn the thing over to a trusted emphasis on trusted computer expert to dispose of it humanely.
Know Your Employees Like Family.
If you can, keep it in the family! Our office is family: My partner is my wife, my secretary is our unofficially adopted daughter whom we raised as our own since she was a teenager, and most of our licensed operatives are blood relatives. Not everyone is so lucky in their business, but I can't tell you how much better you'll sleep if you have complete trust and confidence in your employees. If you don't have the luxury of literally keeping it in the family, perform thorough background checks on all potential hires. Sounds obvious, right, especially for private investigators? But I've known agencies that will hand out associate P.I. licenses to anyone with a Social Security card and a smile.
First get to know your applicants personally. Go out to dinner a few times, make lots of small talk to get information, take them to a ballgame and ask them to bring their family or friends, (birds of a feather, so to speak). Better to dig deeply into their lives and find out who they really are than be forced to dig the proverbial knife out of your back when they sell you up the creek. You're a detective, detect! Don't take on anyone you wouldn't trust with your own children, because ultimately you're putting your own children at risk, i.e., your livelihood and ergo theirs. Don't make the potentially fatal mistake of hiring some yo-yo who appears solid in his or her resume and demeanor, but later turns out to be Robert Hanssen incarnate.
Update Your Security
This is really basic stuff, but you'd be horrified to learn how many agencies have little or no physical security and yet handle extremely sensitive data on a daily basis. Keep sensitive areas locked, and install deadbolts on all interoffice doors to better secure them from illegal entry. Lock file cabinets whenever possible. Give keys to only your most trusted personnel. Your best overall strategy is to improve your physical security in increments in proportion to your budget. Start by thinking like a burglar. Then, a little bit each week, make your workplace less appealing to the potential data thief by making it harder and harder to break in. No physical security is foolproof, but the determination to make a breach as difficult as possible should be a no-brainer. Motion detectors and cameras are great if you can afford them, but a living, breathing, security-minded human presence combined with solid locks and barriers are always your best bet to deter a data breach before it happens, or at least slow the bastards down so police have a better chance of catching them in the act if its an after-hours B&E.
Consider outsourcing security or hiring a consultant. It's likely that a qualified security service can provide better security than you can. Plus, it allows you and your staff to concentrate on the business of private investigations rather than locksmithing, alarm systems, and the complicated minutiae of modern data storage. But can you afford it? Can you afford not to? Only you can answer these questions.
My advice in all things is to do what you can when you can, and don't sweat the rest. And remember, it's much more expensive for you and your business to repair a data breach after its occurred than it is to prevent one from ever happening in the first place. Lao Tzu said, "All difficult things have their origin in that which is easy, and great things in that which is small." Apply that thought to your agency's data security, along with the pointers above, and you shall go far.
Jeff Kimble is a frequent guest writer for PInow.com. He is a licensed private investigator and co-owner of Arizona Legal Document Services LLC in Arizona.
To learn more about becoming a member of PInow.com's trusted network of investigators, contact us online or call (888) 997-4669.
Interested in keeping up with Private Investigator News? Click here to sign up for the PI News Roundup - a weekly newsletter for private investigators and support professionals.