Dealing with Disgrunted Employees - Information Security Considerations
While it's commonplace to fear hackers, we are now being told to worry more about internal security than external security; that our own people are a greater threat than outsiders. The people on the inside aren’t more hostile, they just have more access. Realistically, the vast majority of employees from your organization are well-meaning, honest people. Your company is far more likely to be a victim of an “oops” than an attack by a determined and hostile insider. An insider could access private and/or sensitive information. How do you manage a situation where a trusted insider has gone rogue?
1. First of all, don’t disgruntle people:
Treat your staff with respect. Clearly communicate your company’s mission and priorities. Listen to your people when they have ideas and complaints. Don’t be afraid of your staff. From the lowest level of an organization to the highest, we are all just people, and we want to be treated fairly.
2. Build a good security policy:
This is stereotypical security geekdom at its best. Your security policy should do one important, yet often forgotten thing: define a classification and handling policy. Your policy should define what information is non-public, and give examples. It should also include specific guidance that internal information (call it confidential, private, sensitive, internal-use-only, or whatever you want) is for internal use only, and that improper use, sharing, distribution, or release is forbidden. Get written employee acknowledgement that they understand and agree with the classification/handling policy. Part of this policy should include employee agreement that they will not divulge sensitive information for some period of time after termination – make sure they acknowledge responsibility to protect your information even when they are no longer an employee. Then there is no reasonable way for an employee to say "I didn’t know".
3. Identify your "cool" data:
A significant part of any information security plan is simply to protect the data. We control access to other machines and applications primarily so we can control access to the data available to those systems. If we could guarantee perfect control of the data, the majority of our security problems would disappear. To start that process, we have to know where the cool data is. Perform a Business Impact Analysis, an information asset inventory, or a data flow analysis, (or whatever you want to call it) to identify where your data is, what databases hold it, which systems support it, and what applications have access to it. It’s hard to protect your “private” information if you don’t know where it is.
4. Bring on the pain:
It will hurt, and it will be embarrassing. But if you are one of the few organizations that become a victim of an internal compromise, prosecute and litigate. Sue for breach of contract, actual value lost, and damages. If an employee sold information, or took it to a competitor, go after the buyer or the competition as well. Make it so painful for the perpetrator that they can be used as an example for years to come of reasons why an insider should not steal from your company. At least look carefully at each case and make a conscious decision on the risks for each event. This may not stop internal breaches, but it will deter.
5. Perform responsible authorization:
Make sure you know which employees need access to what information. By doing this you will ensure that you are giving access to just the information that is needed for people to do their jobs,. Building and maintaining an effective authorization mechanism is an art, and the single best thing you can do to achieve control over your cool information.
6. Monitor access:
Track your employees’ access to information. Monitor system, database, and application access. Build a baseline for what your environment looks like during “normal” operations. Consider types of accesses, volumes of requests, volumes of data, and related mensuration data. Then you will be more likely to see “hoarding” as someone going rogue copies higher volumes of information before they leave, or suddenly starts accessing different data than normal. If you can spot aberrant behavior as it’s happening, you could stop it before it’s too late. This is especially important if you are going through layoffs or a merger/acquisition and are expecting staff reductions.
7. Protect yourself from malware:
Scan your systems for malware like viruses, spyware, and Trojan Horses. Regularly. I have had clients tell me that they don’t scan servers since they scan all their clients, and visa versa. Keep running the anti-malware software to identify if something is planted. Consider additional system integrity checking, and system hardening to limit your exposure to malware, and be able to identify it if it strikes. System monitoring can also help here, since good monitoring can help spot aberrant behavior and give you a chance to react.
8. Full account revocation:
When you need to terminate someone, and are worried about retaliation, or when you need to react quickly to an event in progress, you should be able to quickly disable employee access to critical systems. If the time comes to shut someone, just turn off everything. Keep in mind that while not every termination justifies this, there are obviously some cases where it is warranted and necessary. If it comes to this, don’t do it piecemeal. Don’t let account revocation happen in a batch job, at the end of the week, or even the end of the day. If you are worried about retribution, revoke access before, or while you tell the employee.
9. Do not use personal property for corporate information:
Yes, sometimes it is simply better business to let an employee use a personal phone for work purposes, but when it comes to laptop or desktop computers, the answer should always be “no”. As a company, you have no control over the data on the employee’s personally-owned computer. You have no information about how secure the system is, or whether it has adequate antivirus protection or other security measures. Other than by requesting, you have no way to get work information off of their home computer. Essentially, once corporate information is on an employees’ home computer, the corporation’s control over that information ends.
Backup everything, including distributed desktop/laptop clients and any mobile data. You can recover a lot from backups, but you will have a hard time recovering something that was not backed up. Having good backups allows you to restore any lost data and systems, and can help you identify what was lost and/or stolen. It’s hard to find something if you don’t know what you are looking for.
If you have information worth protecting, you probably have information worth stealing. It’s in your best interest to protect yourself from the theft of insiders as well as outsiders.
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.