Two stories in the press demonstrate that the disgruntled or motivated employee remains a threat to be reckoned with. The first, of course, relates to the SocGen rogue trader. The second, on a slightly different scale, is the story of a Florida woman who maliciously deleted her employers critical data. You can read about that one here.
Leaving aside the detail of either story, it’s probably fair to state that any individual with a detailed knowledge of how your business works and a small degree of basic IT skills could circumvent security controls. Of course, the best knowledge is knowing where all the intellectual property and company secrets are on the network and there are numerous vectors for how this can be acquired and sent out of the company, or posted on the web, with a few simple mouse clicks.
Only recently I dealt with a case where it was suspected some private internal data had been leaked to a public source. On looking at where the data had been stored I discovered that far from having been in a protected folder with restricted access, it had been widely available on the network and could have been emailed and copied to numerous locations without any means to track access and use. So, there is a lesson here that security awareness on data handling can pay off if you make sure individuals in the organisation know where and how to securely store data that they want to keep secret.
There are tools that can help us track and audit access to data. For example, Verdasys Digital Guardian and Big Fix Data leak Prevention software. Of course, there is no foolproof way to prevent private data being compromised – it doesn’t necessarily need to be printed, copied, or emailed; reading it is probably enough in some cases. So setting up the right access policy in the first place is the most important aspect of control, followed closely by security awareness and training for those who handle private data.
However, all we can do is minimize the risk, never remove it. And I’ll be blunt here: employee mischief is one of my biggest fears because few other risks have the capability to cause so many problems. However, given that we seem to be steering the ship on a course towards where just about everyone on the network can access web-based file sharing, personal email, and a myraid other ways to post out your most valuable secrets , then it’s only a matter of time before the inevitable happens.
Back to SocGen. It’s a rather extreme lesson in making sure that adequate controls and monitoring are in place. According to the BBC, Societe Generale said the trader had taken what it called “massive fraudulent directional positions in 2007 and 2008 beyond his limited authority“. There’s your clue: lack of control allowed the individual to perform tasks in excess of his authorised privilege level. It’s fundamental Janet & John security – first thing they teach you in security school after you’ve managed to find the difference between your arse and your elbows…