Keeping sensitive information secure when staff is leaving

John Colley
John Colley

“Do not give the impression it can be fixed with technology,” says Michel Frenkiel of MobileGov, “You can’t fool yourself”. Coming from the chairman of a company celebrated for its creation of ‘Digital DNA’ that aims to eradicate the use of unauthorised devices on particular systems, this caution signals the magnitude of the risks that can arise from data exposure to staff, and vice versa.

A Ponemon report from December 2007 entitled ‘Data Security Policies are not Enforced’, where 893 security professionals were surveyed, revealed that 39% of employees polled had lost a USB memory stick, zip drive or laptop computer that contained sensitive or confidential business information, while 56% thought their employers would never be able to determine what was on a lost device. Perhaps more care might be taken if policies are enforced, but the same survey indicates that 51% said they copied confidential information onto a USB memory stick, despite 87% being aware that the company forbade it. 46% shared passwords with coworkers despite 67% knowing that under staff information security policy, it wasn’t permitted.

Such figures suggest that while education may be implemented, a tendency to ignore sound information security advice is endemic.

“Day one [of a new position] is the latest to ensure that people are aware of this responsibility for protecting assets of the system,” advises Iain McLeod, managing director of SAI Global, a provider of standards, compliance and business solutions.

In terms of ensuring information security guidelines, says McLeod, “We strongly recommend a risk based approach is adopted to get the right messages to the right people. There shouldn’t be a sheep-dip approach.”

He observes that, “many organisations have the same approach to everyone. They don’t differentiate people higher up in the organisation.” McLeod cites the example of technical teams, who may know how to perform secure coding but may not know some of the “softer implications” of information security.

Brand value

One organisation taking their procedures for company ‘newbies’ seriously is The Salvation Army, where Valerie Maddock, head of IT learning and user support, has implemented a mandatory information security induction system for all joining staff.

“We have a high turnover of starters,” says Maddock. “We’ve always delivered an IT introduction, but it’s been clumsy. This year I’ve turned around what was clumsy into an online solution”. Maddock’s system boasts a ‘walled garden approach’, whereby a brand new user cannot access the organisation’s system until they have completed the induction, which comprises security information and advice with a series of tests.

“We cover what resources are available, the Database Protection Act, what phishing and spam is, and also [teach them] to not become corporate spammers themselves, like if someone misuses a mass distribution list to email four and a half thousand people to tell them they’ve lost a cardigan.”

Staff are advised that “they’re there for work, not social networking.” Maddock adds that they are strongly advised not to carry out financial transactions over work computers, and told who to contact if help is needed. “It’s not a case of ‘Thou Shalt Not’” she says, “but you have to understand you’re part of an organisation who take computer systems very seriously,” stating that “we have a big brand value; we must all buy into that brand”.

Technical controls are also implemented. “When a user puts in a request, they tell us what access requests they want. We double check this. From time to time we review these access rights.” The organisation restricts email attachments to 10 megabytes, and restricts certain types of files which are blocked by email filtering. Maddock insists that all requests are investigated and that their approach is “not Draconian”.

As for contract and temporary staff at the social services provider, a time limited access is put on the account. The employee doesn’t have to go through the induction every time they need to renew it.

“One or two people get frustrated, but people like contractors and temps are probably our biggest risk,” says Maddock. “If anyone needs to be aware, it’s them”.

John Colley, managing director EMEA at (ISC)2, agrees that it is particularly important that this contingent of temporary personnel understand company policies.

However where staff turnover is high, such as in call centres, where Colley notes that the “average life is four to five weeks”, it’s “probably quite an expensive thing to do” and “onerous” adding that it can also put a time delay on the employment process when temps are often needed to begin immediately. It’s important, then, to ensure that employers use an agency that checks references thoroughly.

Close the backdoor

While laboriously highlighting information security procedures is necessary for all companies, there’s a prerequisite of trust on which it relies heavily. However employees such as those leaving under undesirable circumstances may be particularly susceptible to taking data either for their own benefit or more callously, for revenge.

The risk of data abuse when a member of the IT staff or a highly privileged user leaves, might be “quite relevant in the current economic climate,” says John Rolls, vice president of product management at desktop and server management company, ScriptLogic.

“It’s not so much that someone forgets to close down their account, but that there’s a bunch of accounts lying around the system that are used for highly privileged operations, and [leavers] know the passwords to them.”

Rolls warns that a leaver with malicious intentions may use the password to get back into the network. “And the password’s hardly ever changed,” he adds, “and it’s probably known by two or three people in the IT department. Those are the kinds of things which it’s very hard to update unless you have the right tools available. It’s a risk we run into a number of times.”

Rolls notes that it’s hard to go through lots of files and databases to make sure all references to a particular user, and all ‘backdoors’ are cleaned up.

“It’s alarming. We find it all the time, we go into organisations who have systems quite well locked down for existing employees, but they find out that when you actually look at the permissions and the access controls in place there’s a lot of information there which relates to people who left two years ago.”

As Colley points out, this evokes a ‘Minority Report’ situation, where in the futuristic action film, Tom Cruise’s character undergoes an eye transplant to evade iris detection, but later uses his retained ‘old’ eyes to access a unit. Absurd? Absolutely. Pertinent? Unfortunately.

Damage control

Maddock states that at the Salvation Army, their biggest problem when it comes to information security, is leavers. “We haven’t got our head round them yet.”

“Everyone’s keen to get everyone on the system, but not everyone’s keen to terminate the system” she says, remarking that employers forget about it, or worry that some of the data needed by their successor will be deleted if the account is terminated.

If the end of a contract may cause enmity, Maddock ensures that the leaver’s email account is suspended immediately. Additionally, accounts held by staff in the IT department, who often have privileged access rights, are suspended irrespective of whether the employee leaves “under duress or not”.

It’s evidently difficult to know which few workers may eventually choose to indulge in espionage, but a background check may help to mitigate such risks.

McLeod warns that there can be a gap in certain organisations where references are not taken up.

“Somebody thinks someone else is doing it.” It’s also good practice, and common sense, to hear alarm bells when an applicant offers to bring information from a previous company with them.

“You must ensure employees love you and don’t want to leave the company,” says MobileGov’s Frenkiel.

He recalls an example of when an applicant offered to work with the company, declaring he could bring information from a competitor. He was turned down as the offer was too risky. It also transpired that the competitor was infringing on MobileGov’s product.

“Your best protection is legal protection via patents,” says Frenkiel, but with the caveat that while this is acceptable for technical information, it won’t be as applicable to commercial information, such as a list of customers, and what’s been sold and how much.

The last year has seen numerous losses of private data, and it can cost dearly in terms of finance, image and political success.

“When you steal information, the risk is much less than if you steal hardware,” says Frenkiel. As for the victims, according to Frenkiel, insurance will help if you forget to lock hardware, but not if you forget to lock information.

“The law changes, but after the fact,” warns Frenkiel, offering an example of an employee taking information from IBM to Apple. He may have signed a contract swearing that he will not impart data to competitors, but if he can argue in court that the two companies are not in direct competition, the perpetrator may well win the trial. “And anyway,” laments Frenkiel, “it’s already too late.”

“Sensitive information doesn’t come in two big bags,” he says. “It’s a few sentences, or a few paragraphs. The best way to protect it is to have it in your head…we’re not able to brainwash people”.

Alan Bentley, vice president EMEA of Lumension, application protection specialists, believes that “the majority of data leaks are not malicious. They’re mistakes over not knowing what policies are in place or from thinking [that] if you can circumvent policies you can do your job better.”

But information security policies are not infallible. Colley notes that when an employee has been in the same job for a while “You don’t always remember what you signed.” He stresses that good practice means reinforcing information security policy, probably on an annual basis, for instance in a salary review.

Cold comfort

Whether information security technology can significantly protect a company may be debatable, but it can certainly destroy one. The variety of devices available means there are plentiful ways of taking information.

Memory sticks are a constant threat, and even email can be abused. ScriptLogic’s Rolls observes that ipods are essentially “a USB stick in disguise” while Bluetooth can easily be used to download a contact list onto a mobile phone, many of which have a high storage ability.

Rolls recommends a “centralised software policy infrastructure so that you create a policy that is applied to all your desktops, and your servers for that matter,” meaning that any user in the organisation has a “strictly defined policy on what they can do with a USB stick or removable drive.”

He points out that this can be done for free, in Windows, “but it’s a very blunt tool. It’s everything on or everything off, there’s no granularity.”

It’s impractical, for instance, to comprehensively disallow the use of digital cameras, where certain departments such as marketing may have a valid reason to use them. It’s better to use a system where “you don’t cripple the existing workforce, but you do protect yourself from some of them leaving and taking data with them.”

Maddock notes that while most procedures at The Salvation Army are non-technical, they do use Lumension product Sanctuary; a device control which prevents data loss and theft by enforcing removable device use policies to control the flow of inbound and outbound data from endpoints.

“We can audit and copy everything taken off a device or not allow the device to be plugged in.” says Lumension’s Bentley.

Indeed, audit trails are vital to finding a culprit, but only useful after the event. As (ISC)2’s Colley bemoans, “you can’t really stop it at the end of the day.”

The problems encountered from those newly decorating their desks, and those clearing it, will not be eradicated in the near future. As long as a company’s corporate success depends on private information, a particular algorithm, or recipe, it will necessarily be exposed to staff, and a company cannot function if personnel are denied access to a company’s system.

A healthy measure of information security policies, procedures and technology may not exactly boost office morale, but a good employee will understand why it is there and be willing to comply. While an organisation can no longer expect loyalty to a role, it can at least expect loyalty to company integrity.

What’s hot on Infosecurity Magazine?