Throughout 2014 and into 2015 with the recent Anthem Blue Cross breach, every few weeks with distressing regularity there has been a new breach or exploit of epic proportions. But the “shock and awe” surrounding December’s Sony Pictures hack has been unsurpassed: intellectual property pirated, embarrassing emails publicized, the resignation of a top executive, a movie premiere cancelled in the wake of terrorist threats.
A sidebar in the Sony story is that the breach caused collateral damage to the professional services giant Deloitte. Salaries of key executives and thousands of the firm’s employees were leaked, along with their names and social security numbers—pretty private stuff…
Any organization that is ISO 27001 certified is obliged to find opportunities for improvement in the operation of its information security management system (ISMS). Is the Sony hack “just another mega-breach?” Or is there something important that security-aware organizations can learn and apply from this unfortunate news?ow did confidential Deloitte data get dumped on the Internet in Sony’s downfall? Apparently the data was on a Sony HR employee’s laptop. She had formerly worked at Deloitte and was at some point tasked with analyzing the company’s compensation, looking for “inadvertent” pay imbalances across multiple job roles based on “discriminatory” factors like gender and race. A few discrepancies were found and remediated.
When this person left Deloitte and went to work at Sony, she was allowed to keep her laptop. That, in itself, isn’t necessarily an insecure practice. But allowing so much confidential data to remain on the laptop certainly was.
The adage that you’re only as strong as your weakest link rings loud and true here. Like many enterprises, Deloitte no doubt has powerful technical controls over its information: firewalls, antivirus and similar safeguards. But technology alone won’t protect your data. You have to look at all your controls and at every aspect of your operation if you want to be assured you’re secure.
Within the ISO 27001 framework, HR onboarding, training and offboarding practices are among the things you’re directed to look at closely (it’s in the “selected list of controls” in Annex A). Part of offboarding departing employees, whatever the circumstances of their leave-taking, is to collect hardware devices (laptops, cell phones, thumb drives); or, at a minimum, remove confidential data from them.
Is the departing person’s smartphone linked to your email server? That connection needs to be severed. Logins and other access permissions need to be updated immediately. Nondisclosure policies should be discussed in the termination interview, etc., etc.
The bottom line is that organizations need to ensure that these “soft controls” or “people controls” are in place around asset recovery and other HR processes. This is an area that some organizations struggle with. Are soft controls a weak link in your security armor? If so, your information is at risk no matter how good your technical controls are.
Deloitte has a cyber risk services division, yet they were subject to a weak information security policy or process where soft/people controls were concerned, and it came back to haunt them. When you look at this part of your company’s ISMS, do you see weaknesses that should be addressed? Do you see risks that you’re not willing to accept?
If so, ISO 27001 can give you a framework for strengthening your security, because it requires you to 1) continuously improve and 2) periodically go back and reassess what your policy says you’re doing and how well you’re doing it.
Many organizations prefer to hire an independent, unbiased third party to help with this audit process. An external auditor who has both insight and impartiality can often provide a more clear and useful assessment of its information security status.
To talk with an information security expert about how to know where your weak links are and to review the effectiveness of your safeguards, contact Pivot Point Security.