The fact that a company’s own employees pose a greater threat to security than hackers has now become widely recognised within the industry. Some cynics might argue that the escalation of this particular threat came about to justify the continued existance of the corporate security team, which was starting to look a bit awkward now that all the IT security has become operationalised.
I’ve visited organisations in some parts of the world where the perceived potential threat from company employees has created a regime preventing individuals from carrying personal belongings to their desks and where they are likely to be searched on the way in and out of the building. Once at their desks, computers (which have no available USB ports or writable disk drives) are locked down to the extent where only the software necessary to do relevant work is available. No web access, no IM, just closely controlled work. One particular organisation I visited in the Philippines operated such a regime. Here in the UK you might consider it to be oppressive and too strict but the company in question was highly regarded by its employees, and provided good benefits such as a well equipped Internet cafe, excellent catering, and an in-house doctors surgery.
They also had a data center that just about anybody could get into completely unsupervised…
Many of the employee related incidents that we read about in the news such as the software developer leaving behind a back-door in his code, or the PA cashing company cheques could have been easily prevented with the benefit of hindsight and some half-decent audit controls. But just how do you mitigate against the threat of employees bad-mouthing your business and customers in a public forum as happened to Tesco very recently (read about it here)? You can threaten disciplinary action, promote good behaviour etc but really we’re pretty powerless. One of the issues is that there was no real motive behind the actions: a few people decided the spill the beans and publicly voice some pretty ugly opinions, but no-one was out to profit from the actions and no confidential data was stolen. The financial and reputational impact could be just as bad though.
I discussed this very scenario in a recent review of my organisations incident response plan. So many company employees now contribute to online forums that it’s inevitable somebody will eventually say the wrong thing in the wrong place and the wrong person will get to hear about it. Is it an information security issue? I say remember the old saying “loose lips sink ships” and that it’s as much an issue of corporate security awareness as is reminding people to use a strong password.
It’s no longer a matter of simply having secure systems and decent corporate policies. Companies now also need to influence the online behaviour of their employees outside of the office.
I can already hear the sighs of my boss – more scope creep on the strategy, King?