Spies in the workplace
Spies in the workplace
Disregarding information security is like keeping the front door unlocked. Data theft is common practice, and employees – representatives of risk groups, while information protection is becoming more expensive.
Only 1/3 of organisations are convinced that the security level of their business is adequate. Companies acquire several product items to install on the endpoints within the corporate network, and the executives who used to underrate the need for security systems are now increasing the investment into guarding confidential information.
In 2018 protection products are expected to "charge" organisations about US$100 million. The awareness of the security importance evolves, people admit that information is the key to success because many companies appear to be fraud targets.
Anyway the methods of preventing frequent security incidents within organisations aren't elaborate: only 30% of companies have their own info security departments or at least one InfoSec officer.
"Spies" are usually fired, but many of them remain undetected.
Here are some real life examples of what can happen in the workplace.
If you go – take
A sales manager was fired for failing to implement a sales plan. An insulted employee downloaded the client base and soon was hired by a small competitor company. There should be no further explanation – a customer base costs companies a fortune.
The situation is typical. How can it be prevented? Ask sysadmins to block the access to the corporate systems – CRM, file servers, email, task trackers - which is given to an employee who is quitting.
When talking about dismissal an employee should be reminded of security policies in the company and of what he or she might face in case of violation. This will diminish the desire to take something which belongs to the company. Data theft is a crime – a violator can be fined or arrested.
If there's an employee time and productivity monitoring system or any other data protecting module installed, a sysadmin should be notified of possible problems and might want to control a particular employee.
Loose lips sink ships
A typical story in many companies – an employee was hired by a competitor but kept communicating with ex colleagues. One of such stories brought considerable losses to an organisation: an employer manipulated former acquaintances and learnt some insider information – about tenders, promotion plans and even meeting partners and contractors.
It's impossible to prevent 100% of leaks. No one can forbid ex-employees from talking to someone who is still a staff member. It means that a company will always be at risk. But the risk can be reduced. The best method of guarding is to control all the communication channels within a company. A DLP system can be integrated: it will monitor and analyse all the correspondence in the workplace and alert to violations thanks to tag words online detection.
Some solutions stop messages from being sent: a suspicious email goes to quarantine where it is to be approved and only then sent by an information security officer.
Anyway it is necessary to conduct a routine briefing – employees should know how to use sensitive data and trade secrets correctly, there should be regulations on divulging confidential information.
Instructive stories narrating how a spy got caught and punished told by a tough info security officer can serve as a preventive measure.
One of our partners shared a story with us – a head of department became a reason his employee turned out to be guilty. The situation was simple: a manager called his assistant while he was at the meeting and asked the employee to send him a package of documents to his private email. The documents included sales planning and market research results. The employee didn't think twice and sent him the package which made him the focus of InfoSec officers attention. It took time to prove his innocence. The investigation was conducted, the intercepted base was rechecked, video records rewatched and so on.
Managers' negligence is detrimental to a company: executives have an access to loads of information. It's impossible to guarantee a comprehensive protection against such leaks. Supervisors' use of data, downloading and transferring documents can't be limited – this will slow down or hinder their work.
A DLP can reduce risks: the system will help to detect a leak, conduct an investigation and discover a violator. Before a leak happens specialists should be hired or basic info protection programs installed. An information security department is a contribution to your business development.
Et tu, Brute?
According to the statistics 1/3 of companies fights the consequences of data theft. Almost half of all the incidents is caused by employees. The issue requires attention – staff members control all the corporate information. This power makes them think of using this knowledge for their own benefit.
Here's a real life story: an IT specialist connected a new address to a corporate email which mirrored all the correspondence between two top managers – commercial and chief executives. The messages could be read by the competitors who were informed of every strategic step the company was making. An info security department is needed to supervise IT specialists.
An information security officer should be provided with instruments for IT department monitoring. SIEM system detects account creating or deleting, notifies if someone tries to type in a wrong password multiple times, allows employees to access data they have no right to handle. A DLP will alert to launching a remote access software on the computer of a chief accountant, for example. The computers of company's executives can be easily scanned by system administrators - there are solutions which allow to block a sysadmin's access to user's folders.
PUM system (Privileged User Monitoring) is the safest way to control an IT department. The module supports video recording: employee activity gets recorded.
An employee blackmailed an accountant for a few months having learnt about her personal relationship with the manager. To keep it secret she provided her colleague with copies of financial reports, salary details, sales data and other documents.
No private life within the workplace – no intimidating. Although there can be other secrets a person doesn't want to reveal to his or her colleagues. What should be done? Employees should be monitored, risk groups should be formed – that's how staff members who might be influenced or blackmailed are detected. Such employees may not harm a company but can collaborate with violators when pressured. Risk groups should have a limited access to confidential documents, personal data, research, reports and company strategy.
What a company has to do when an incident occurs is to understand which instruments should be integrated and policies – configured, to analyse, correct security mistakes and not to make new ones.
* By Sergey Ozhegov, CEO of SearchInform.