As the national headlines continue to feature the WikiLeaks organization on a frequent basis, GraVoc’s information security team has received a slew of blog posts and emails about what this means to businesses. WikiLeaks is now moving beyond the realm of military and diplomatic secrets, as they have most recently revealed that a former executive of a Swiss bank is the next source to submit confidential data to the rogue clearinghouse of classified information. The lessons that can be learned from this series of incidents can be applied to virtually every business, small and large.
The issue at hand is that today, it is easier than ever to publish information onto a public forum and that many people with an ax to grind with their employer have a motive, economic or otherwise, to compromise the employer’s strategic advantage. You see this in the case of the lower level Army analyst who supplied diplomatic information to WikiLeaks, and you also see this with the bank executive who will now leave the Swiss bank in question at significant risk surrounding its reputation and its regulatory compliance with stringent privacy laws in that country.
These two examples further illustrate the point that while organizations may be taking significant efforts to make sure that information is not being compromised by malicious third parties, they may not be making adequate efforts to guard themselves against insider threats. Of course, a lot of insider threat is unavoidable. At any time, for any reason, a trusted employee could decide to commit treason against an organization. However, there are steps that are relatively easy to minimize the impact of these threats.
- Background Checks: If a person is going to be granted access to privileged information, the organization should ensure that the new employee has no history of fraud and exposes the firm to no unneeded risk. If this means exploring social media channels, so be it, but tread lightly.
- Permission Controls: Tools are very readily available to manage permissions, both over the network and by application. It may take extra time and effort by the necessary IT administrators to set up and change permissions, but it will help minimize the chance of unauthorized employees having access to information they don’t need to know.
- Audit Trails: Logging users’ activity, including changes to files, deletion of files, and views of files should be considered at organizations that house a high amount of confidential information. If files are accessed, duplicated, or changed inappropriately, somebody will be held accountable for it, either in terms of disciplinary or legal actions.
GraVoc Associates, Inc., a technology consulting firm based in Peabody, MA, is committed to providing solutions to customers with the use of technology through its practices of information technology & professional services, media production, information systems, and information security. The information security practice works with a clientele both within and outside the financial services industry throughout Greater Boston and New England, providing IT assurance, consulting, and audit solutions that will help a business secure its confidential data from malicious parties both from the outside and the inside. For more information regarding GraVoc, please visit https://www.gravoc.com. Let us know what you think by commenting on our Facebook page!