I've been advising supposedly concerned compliance officers for years about the risks posed by questionable members of their IT staff, and then I walk into a company recently to discover they've just fired their compliance officer.
It was a minor indiscretion. He had simply accessed every contract the company held to ensure that it was complying with all relevant policies. Trouble is, he was being handsomely rewarded by the competition for divulging what he found.
It seems that it doesn't matter where you look these days; it's becoming difficult to trust anyone. And therein lies the crux of the problem. Most organizations assume that their employees are basically honest and can be trusted not to do something stupid. Unfortunately, it's the honest ones that are most often the victims. And often an organization's failure to grasp the magnitude of the damage a dishonest or careless employee can cause results in disaster.
Every organization today, no matter its size, must ensure that privileged access to systems is controlled and that confidential data is secure. A key factor in this is ensuring that people in positions of responsibility understand what they're doing. The example of the CISO of a UK Fortune 100 company who stated that the M&A data about planned acquisitions was secure because the server was in the boardroom may not be typical, but it only takes one idiot to give you all a bad name – or for that matter one compliance officer on the take to have other compliance officers labeled as crooks.
Lack of sufficient internal controls can result in data breaches, denial of service attacks, and compliance review failures. The key areas of vulnerability are Privileged Users access controls both inside and outside the network, confidential data exchange via public networks, and securing highly sensitive data inside the network. The insider threat is the main security risk enterprises face -- insider incidents from using system administrator or privileged account access are responsible for nine out of 10 breaches in data security.
What is the best way to protect data? Information must be protected from unauthorized modification, deletion, and exposure. Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers. For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. To build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure.
Other points to remember:
- Ensure you have visual auditability. Owners of information must see what happens with their information at all times. Combined with auto-logging and auto-alerting, visual auditability ensures that an organisation has a prevention and detection mechanism.
- Separation of duties must be set up between owners of the information and administrators of the information. For example, there is no need for IT staff to be reading employee contracts, unless of course he or she is doubling as head of HR.
- Dual control ensures that highly sensitive data can only be accessed provided it has been authorised by another person.
- Data should always be backed up in encrypted form, and kept encrypted even while on backup media to prevent unauthorized disclosure.
- Access should be controlled based on user location. In other words, it's not the employer's responsibility to help an employee show-off to the cute blonde in the internet café. Make sure that if the information is for internal use only that is exactly where it stays.
No organization is immune to the risk of exposure, embezzlement, and embarrassment, especially if you're outsourcing or using contract staff. So let's just say that since some people have a habit of letting you down, it's time you ensured your data is secure and locked away. As that paragon of American virtue, Mae West, once said, “I generally avoid temptation unless I can't resist it.”