Recently two of the most publicized cases of improper disclosure of personal information (Fidelity and the Veterans Administration) occurred through what might be described as the "clueless insider" threat. In both cases an employee had copied large amounts of critical information (names, Social Security numbers, account information and other data) onto a laptop, and then lost the laptop. In the Fidelity case, the laptop disappeared from a car at a company meeting. (I am one of the 198,000 whose personal information was on that laptop.) In the VA case, the employee took the laptop home - against policy - and it was stolen during a home burglary. Some experts think the VA case could cost $500 million in remediation and other costs.
It is difficult for any organization to prevent cases in which a current employee does something in direct violation of an organization's policy. That's why you could call this the "clueless insider" threat. More insidious, though, is the threat from people who were employees until recently, and then left the organization voluntarily or involuntarily but still have their data access privileges - the "ghost employee" threat. It is not the employees' responsibility to ensure that they no longer have access. The human resources and IT departments are responsible for this, and their failure to coordinate to ensure that these former employees are cut off at the right time means that the cluelessness resides in the organization. This issue applies equally for employees who have shifted roles in the organization - their access must be adjusted to reflect their new roles.
This is not a small problem. The 2005 FBI Computer Crime Survey found that the internal threat - which includes ghost employees - comprises 44 percent of reported data security breaches. The FBI report found that this is the number-two reason for security violations, behind only virus attacks. Several other studies indicate that insiders are the greatest threat. The U.S. Secret Service and CERT conducted a study of illicit cyber activity in the financial sector which found that 78 percent of incidents were carried out by authorized users.
Effective management of user changes is also a top IT control issue. A study published in CIO Magazine in July 2005 showed proper entitlements management to be a "top five" IT control weakness, and this concern has been borne out in numerous conversations I've had in the past few months with officials of public companies. Two top Wall Street banks rate fixing this IT control weakness as a top initiative for the coming year, and no wonder: such a large firm can have 30,000 to 40,000 employee status changes a year, not to mention third-party (e.g., consultant) access.
It is difficult to find statistics that show what portion of insider breaches come from ghost employees, but even if it is a fairly low number, these are still very serious threats. An experienced, knowledgeable former employee - who may be resentful and angry - can do more damage than an uninformed outsider. If the former employee has access to critical online information, an organization and its customers are at very high risk.
What can an organization do to solve this problem, and what are the implications for complying with Sarbanes-Oxley and other key regulations?
The Process Issue: It is critically important that the human resources or personnel department of any public company is in immediate, direct communication with the IT department. When an employee leaves the company - especially when he or she is fired, downsized or changes role - the IT department should know this in advance, providing time to restrict, terminate or redefine the employee's access to some or all online data. A common finding when organizations investigate a case of a ghost employee security breach is that the IT department did not know that an employee had left the company, and, therefore, had not cut off access. Sometimes this window of vulnerability can remain open for weeks or months. With the advent of recent regulations, a customer who is victimized by ghost employee actions may have grounds to take legal action. In addition, the organization should carry out periodic assessments of user entitlements to ensure that users continue to have proper access.
The Regulatory Issue: Organizations should understand the implications of federal regulations, particularly section 404 of the Sarbanes-Oxley Act. This provision concerns the responsibility of management to maintain an adequate internal control structure and the responsibility of the company to annually publish an assessment performed by a qualified third party evaluating the effectiveness of those internal controls. This means that the senior management of a public company is liable, through the annual report, for the effectiveness of their organization's internal controls. Protecting against a ghost employee security breach fits squarely into maintaining an internal control structure under section 404, and several major audit and consulting firms have put this issue on their top 10 IT control list for 2006. The bottom line - public company CEOs and CFOs are on the hook when a ghost employee violates security. Additionally, they are required to publicly report the violation, potentially damaging their organization's reputation - and their own.
The Technology Issue: Organizations must enlist technology to ensure they manage user entitlements effectively. Technology can assist in several ways. First, it can provide ongoing assessments of user privileges against policy and baselines. Second, for "obsolete" users who change roles or leave the company, it can automate the process of identifying user access that must be shut off, ensuring that the access changes are made and maintaining a trusted record of those changes. Third, to ensure that former employees are not using other means to access data, organizations must be able to audit database activity. An unimpeachable audit trail of database activity will show who took what actions upon what data. If an organization has been lax in controlling the data access of ghost employees, a database auditing solution can show what happened and provide the audit trail information necessary if the breach must be reported under Sarbanes-Oxley guidelines.
Ghost employee fraud without an audit trail is the worst-case scenario. An organization's lax security and user management practices allowed a breach and the organization does not know or cannot establish that it happened. Worse, the organization does not know what data the ghost employee has compromised.
In a perfect world, employees would leave their roles within the company in a professional and honest way. The IT department would be completely in the loop and would take appropriate measures to ensure obsolete user privileges are shut down before the employee can do any damage. However human nature makes this a situation of uncertainty and fuzziness. The best solution is to head off ghost employee threats before they happen.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access