The extreme case of Edward Snowden
Edward Snowden was a trusted employee. During his time at Booz Allen, a consulting firm and subcontractor for the super-secret National Security Agency, Snowden copied thousands of top-secret NSA documents. He fled to Hong Kong and met with British journalists, who promptly published the documents Snowden turned over. He is currently a guest of the Russian government, and a federal warrant is out for his arrest.
Recognizing the problem
Snowden is an extreme example of how rogue employees, according to this CIO online piece, can be one of the biggest threats to data security. By virtue of his insider status, Snowden easily accomplished what no foreign agent, spyware or Trojan horse could. Aself-proclaimed idealistic whistle-blower, Snowden was able to steal highly classified material from the world’s most security-conscious employer.
Less-security-conscious organizations are obviously more vulnerable. Any organization can have employees who are angry or underpaid. These employees can have festering grievances, or may be planning to work elsewhere and take trade secrets with them. So in addition to taking sensible measures to prevent workplace violence, employers must be on the lookout to protect their business and recognize the signs of dissatisfied employees.
Managing employee data security breach threats
Jon-Louis Heimeri provides some great advice in a 2011 Security Week online piece that still applies:
1. Treat people with respect and listen to their ideas and complaints. That way they don’t become disgruntled.
2. Establish a sensible security policy. Let employees know just what information is not for public consumption. Write the policy down, and get the employee to sign off and agree never — not now, and not after leaving the organization — to disclose it.
3. Do a business impact analysis that includes what data is most important to the continuity of the company. Identifying that data and controlling access to it will solve the majority of any organization’s security headaches. (By the way, a business impact analysis is an essential element in disaster recovery planning.)
4. Prosecute and litigate. If a current or former employee breaches security, lower the legal boom. The goal should be to illustrate to everyone the painful consequences of insider data theft.
5. Make authorization access consistent with what is needed to do the job. Responsible authorization practices are the foundation of protecting company data. Your customer management employees, for example, do not need to access company financial data.
6. Keep honest people honest. Track your employees’ access to information. Build a “normal” baseline of work activity, and look for access trends that could be indicators of information hoarding.
7. Keep on top of malware detection and scanning. Disgruntled employees have been known to plant spyware, Trojan horses, etc. Constant monitoring can reduce the time between the act and its detection.
8. Cut the cord quickly. If you have to terminate an employee, be able to cut the employee’s access to everything quickly. The access denial must occur before the employee reports for the exit interview.
9. Don’t allow mingling of personal computers with corporate information. Once an employee downloads or copies corporate files onto a personal laptop or desktop at home, the company has lost control of the data.
10. Back up everything. Repeat: back up everything. The classic defense to malware, ransomware and simple sabotage is both on- and off-site backups.
Looking for help and advice on protecting your vital business data? 403Tech Inc is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (403) 215-7506 or send us an email at [email protected] for more information.
403Tech is one of the Top 50 Managed IT services companies in Canada.