Job losses need not lead to data loss

Although your own staff have always posed the greatest danger to your organisation's IT security, the downturn is raising the threat to new levels.

Although your own staff have always posed the greatest danger to your organisation's IT security, the downturn is raising the threat to new levels.

Companies are no longer losing one or two staff occasionally, but making employees redundant in huge numbers; the staff who remain are unsettled, and budgets for tackling security issues are being squeezed.

When staff walk out of the door for the final time, confidential company data often goes with them. The Infosecurity Europe poll 2009 found that 478 out of 532 IT decision-makers surveyed believe that security risks will increase in 2009.

Moreover, a survey by security supplier Symantec and privacy research specialist the Ponemon Institute found that nearly 60% of employees who lost or left a job in 2008 took confidential data such as customer lists with them.

When IT staff are sacked, the risk to the company's continued operations can be even greater, because they have intimate knowledge of IT systems and how they can be damaged.

Frustration hacking

"Be aware of frustration hacking," warns Eric Domage, a research analyst at IDC. Domage says that IT-savvy staff can delete servers, encrypt IT systems or take company data as a protest when they are made redundant.

"The internal threat from one time hacking is a major threat to businesses," he says.

Companies can protect against external threats, and can trace logs to identify internal fraud, but are too easily caught by one-off instances of internal electronic vandalism.

In the US, Rajendrasinh Babubhai Makwana, a contractor at US mortgage association Fannie Mae, was charged earlier this year with leaving a malicious script in a routine program that would have propagated through the bank's servers and deleted all data. The script was allegedly set to execute more than three months after his contract was terminated.

To counter these risks, the most important step you can take is to ensure that former staff no longer have access to IT systems.

Systems access

The Symantec/Ponemon survey found that about a quarter of employees still had access to their company's network after they left.

In the Fannie Mae case, Makwana's root access to all the bank's servers was not terminated until the evening of the day he left.

Even if you do have effective procedures to deal with staff departures when they are running at normal levels, you may not be able to cope with turning off access for a couple of hundred people at the same time, warns Andy Jones, a principal research consultant with the Information Security Forum.

He says you need to prioritise activities such as removing cards that allow physical access to the building and deactivating remote access. That ensures ex-employees cannot access any parts of your network while you work on revoking their rights on individual systems.

You should also monitor staff before they leave the company, he says.

Centralised security logging and event management software can provide alerts and analysis in real-time showing who is accessing what, allowing you to pick up on suspicious behaviour before it has an impact on the organisation.

The good news, says Chi-Chi Liang, a senior product marketing manager at Symantec, is that only a very small proportion of departing staff are actively malicious.

In most cases, even those who take data are doing so simply to help them secure their next role. Alongside contact and client lists, staff frequently want to take data about projects they have worked on to show prospective employers what they have achieved.

Companies should acknowledge that departing staff need access to this material, and seek to reach an appropriate compromise with them about what information they can take.

You also need to take care that you do not demoralise the staff who are staying by applying heavy-handed security measures that make them feel like criminals.

Honest staff

A survey carried out by YouGov on behalf of content security company Clearswift suggests most people are honest: it found that three quarters of employees said they would not take company information if they were made redundant, with nearly half of them citing "I do not steal" as the reason, and 12% claiming "loyalty to the company".

Just 4% said company security measures would stop them.

In fact, the greatest internal threats once a company has downsized may result from the remaining staff working under stress.

"[Overworked staff] are more likely to cut corners or bypass security in order to do more faster, opening up the organisation to external threats such as phishing," warns David Kelleher, a communications and research analyst with IT security software supplier GFI Software, adding, "You should increase awareness among employees of security threats and explain what to look out for to help reduce the risk of unintentional data leakage."

How to prevent internal attacks

● Understand what data you have, who has access and how they have access, and then focus on protecting the most critical data first.

● Create policies for appropriate data use and educate users about how to use data securely.

● Ensure business processes support good data security - by appropriate segregation of duties, for example.

● Implement technologies that prevent information from leaving the organisation, whether on CDs, memory sticks or through e-mail.

● Implement technologies that make it easy to disable user access, especially for users with high-level privileges.

● Implement logging systems that allow you to spot suspicious behaviour quickly.

● Develop de-provisioning processes that scale.

Read more on IT jobs and recruitment