NCC: Beware employees' "exit strategies" during downturn

With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is...

With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?

Be ever vigilant

With less "legal money" in circulation, temptations to access "illegal money" are likely to increase - especially if the walls of the institution you work in have become paper-thin, writes Danny Dresner, security analyst at The National Computing Centre. Correlate that with research into the human vulnerabilities in information systems that shows that times of turmoil increase the people side of risk: Houston, we have a problem! Any supposed greater security of mergers and acquisitions (or possibly nationalisations) generate enough uncertainty for measures to look after number one to kick in. These may be data timebombs as profitable information may be being hoarded in anticipation.

Breaching the human firewall

Even the most process-oriented institution hinges on the human components that carry the information systems through their lifecycles from conception to disposal. All that data on the hard drive and the checks for what goes out: how many organisations rely on the human firewall of last-minute caution?

How many organisations rely on threats of disciplinary action to assure compliance with their acceptable use or data protection policy? When your job - or even the whole institution is going - there's limited or no incentive to comply. When IT-savvy users can pocket the database on a USB stick, who's interested in pilfering the stationery? And never mind the database. Financial institutions regularly handle identifying documents - rich pickings to sell at the next dark market (the one we don't know about).

Processes and regulation

Closures and redundancies will test the security systems. Good practices such as the BS 7858 screening standard looks at movement in, through and out of the organisation, but what if it is the controllers of the leaving process who are leaving?

Don't discard standards though. Perhaps pick them up for the first time. BS 7858 was created to support security screening of individuals employed in a security environment with the personal data sloshing around the banking systems, everyone works in a security environment.


How well controlled will the disposition of the assets from failed institutions be? Will the administrators take tight control of collecting assets before staff leave? How up to date are your inventories?


Put warnings of data compliance as part of the notification process with the awareness that as soon as signs of the going getting tough the tough will be going about their exit preparations and for some this may well precede that. Forensics has a part to play. What's your forensics policy?

Consider the role of third-party security services to assure protection in good times and bad, This runs deeper that ISO/IEC 27001 certification. Security is like petrol prices: once heightened, you never drop back as far as you were before.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.