Throughout 2014 and into 2015 with the recent Anthem Blue Cross breach, every few weeks with distressing regularity there has been a new breach or exploit of epic proportions. But the “shock and awe” surrounding December’s Sony Pictures hack has been unsurpassed: intellectual property pirated, embarrassing emails publicized, the resignation of a top executive, a movie premiere cancelled in the wake of terrorist threats.
A sidebar in the Sony story is that the breach caused collateral damage to the professional services giant Deloitte. Salaries of key executives and thousands of the firm’s employees were leaked, along with their names and social security numbers—pretty private stuff…
When this person left Deloitte and went to work at Sony, she was allowed to keep her laptop. That, in itself, isn’t necessarily an insecure practice. But allowing so much confidential data to remain on the laptop certainly was.
The adage that you’re only as strong as your weakest link rings loud and true here. Like many enterprises, Deloitte no doubt has powerful technical controls over its information: firewalls, antivirus and similar safeguards. But technology alone won’t protect your data. You have to look at all your controls and at every aspect of your operation if you want to be assured you’re secure.
Within the ISO 27001 framework, HR onboarding, training and offboarding practices are among the things you’re directed to look at closely (it’s in the “selected list of controls” in Annex A). Part of offboarding departing employees, whatever the circumstances of their leave-taking, is to collect hardware devices (laptops, cell phones, thumb drives); or, at a minimum, remove confidential data from them.
Is the departing person’s smartphone linked to your email server? That connection needs to be severed. Logins and other access permissions need to be updated immediately. Nondisclosure policies should be discussed in the termination interview, etc., etc.
The bottom line is that organizations need to ensure that these “soft controls” or “people controls” are in place around asset recovery and other HR processes. This is an area that some organizations struggle with. Are soft controls a weak link in your security armor? If so, your information is at risk no matter how good your technical controls are.
Deloitte has a cyber risk services division, yet they were subject to a weak information security policy or process where soft/people controls were concerned, and it came back to haunt them. When you look at this part of your company’s ISMS, do you see weaknesses that should be addressed? Do you see risks that you’re not willing to accept?
If so, ISO 27001 can give you a framework for strengthening your security, because it requires you to 1) continuously improve and 2) periodically go back and reassess what your policy says you’re doing and how well you’re doing it.
Many organizations prefer to hire an independent, unbiased third party to help with this audit process. An external auditor who has both insight and impartiality can often provide a more clear and useful assessment of its information security status.
To talk with an information security expert about how to know where your weak links are and to review the effectiveness of your safeguards, contact Pivot Point Security.