First Bikini’s — now Pink Slips (security incidents can get ugly)
Posted by John Verry on Wed, Feb 25, 2009 @ 11:21 PM
More than half of all employees who lost or left their jobs last year took confidential company data with them, according to the study released by the Ponemon Institute and Symantec, 59 percent of ex-employees admitted to stealing confidential company information. The most commonly taken data included e-mail lists, employee records, customer information, and non-financial information.
Over the last year, we have not only had direct experience with similar security incidents, we have also seen cases of extortion and sabotage. Several weeks ago, an outgoing marketing executive intentionally ran SQL updates against the customer data warehouse using somebody else’s account with the intent of destroying the data. The attack was successful. A restore from tape was painful, caused data integrity problems, and resulted in the loss of almost a weeks worth of client transaction history. Sadly, the regular use of shared passwords precluded any opportunity to prosecute.
According to the report - 53% of respondents downloaded information onto a CD or DVD, 42% onto a USB drive, and 38% sent attachments to a personal e-mail account. Now the last group of people is just plain stupid. Lest you think the report is wrong — we have done two forensic investigations in the last several months with the goal being to document a leaving employee’s use of the corporate email system to forward proprietary information to their personal emails and/or a competitor.
Where it gets scary is the use of USB and/or CD/DVD. The vast majority of the companies I work with (with the notable exception of hedge funds) have no mechanisms in place to detect or prevent this type of an inside “attack”.
Officials at both Ponemon and Symantec say they expect the trend to continue, if not worsen, as the economy deteriorates and layoffs increase. “If your organization is planning a RIF [reduction in force], you need to understand the attitudes of the people who are being let go,” says Michael Spinney, an analyst at Ponemon Institute. “Once they’ve lost their jobs, they feel like they don’t really have a lot to lose.”
Sooo … if you are looking at layoffs — you better take a long hard look at your controls over sensitive data before you start dropping pink slips.