According to the U.S. Department of Labor, Bureau of Labor Statistics the unemployment rate in the U.S. is 6.7% – up two (2) percentage points in the past year.  In the United Kingdom, the BBC reports that nearly ten (10) million working age people are “not in paid employment.  This includes the 1.8m unemployed, plus another 7.9m who are deemed to be ‘economically inactive’.”  That is Britain’s highest rate in 11 years.  Europe’s largest economy, Germany, is expected to contract by up to 3% in 2009.  Japan’s unemployment rate is also on the rise (3.9%) with the number of unemployed estimated to be 2.56 million.

Unfortunately all forecasts for at least the next year show the jobless and layoff trends increasing. 

It is a sad but true fact that disgruntled employees can pose one of the greatest risks to a company’s sensitive information and resources.   Is your company laying off people?  Does it have a procedure to terminate physical and logical access to systems immediately upon termination?  Is it being followed?

Are you sure and are you willing to bet your company’s future on it?

An overwhelming majority of those who are laid off do not do anything that would be dishonest but it only takes one employee to cause a problem as we saw in the Terry Childs case earlier this year. 

In order to appropriately protect critical information it is important to know exactly what it is and more importantly where it is located?  When was the last time you cataloged all of your company’s critical information? Is it located in a central location, isolated pockets, or scattered all over the network and user workstations?  Who has access to that information?

I once worked in a company where each division stored their information (that which wasn’t saved to individual user desktops of course) in division level folders on shared network drives.  All of the information within these folders was available to anyone within that division.  When we migrated the network operating system from Novell over to Microsoft Active Directory, my boss and I recommended tightening the access controls on the information.  We were shot down.  To paraphrase one Vice President at the time: “We often collaborate across multiple groups so our people need to be able to get access to everything – besides nothing bad has ever happened before so why change things now?”

Of course she was right, nothing bad had ever happened.  At least to the best of their knowledge nothing bad had happened.  Another way to look at this is that the company decided to accept the risk.   This is all well and good but three years later things were another story.  (I had left the company for greener pastures the year before the incident.) 

You see they had laid off an employee just before they had to recomplete a rather large contract.  The company was a shoe-in to win the work; the recomplete was just a formality.  It was a formality until they lost the recomplete to a company that had never done that sort of work before.  Apparently they were underbid by almost 25%. 

It wasn’t until someone remembered that the laid off employee had gone to work for the company that won the contract that they put two and two together.  The problem was that they couldn’t prove anything.  The laid off employee never worked on that project and in by all accounts should never have had access to the projects information.   The problem was that EVERYONE had access to the information.  Not only did everyone have access but auditing access to information was thought too obtrusive by senior management so it wasn’t authorized. 

Did the laid off employee walk out with critical information that caused the company to lose the bid?  Who knows for sure?  In my mind it would be a mighty big coincidence if he didn’t but that doesn’t mean anything. 

Was the employee’s account disabled when he was terminated?  That I don’t know for sure.  Knowing how that operation worked I’d venture to say that if the account wasn’t deactivated that day then it was the very next one.  It all depended on if notification had been sent by HR at the appropriate time.  I do know that he had plenty of forewarning that layoff’s were coming and the time in which to copy the information.  (According to my sources)    

While it is very important to terminate both physical and logical access of an employee upon termination, it is equally important to take steps to protect and control access to information and critical services before you get to the point where you’re terminating people.   Some of the activities that I recommend are:

• Information Categorization;
• Position Categorization;
• Auditing access to critical information; and
• Establish a log management program.

As I said earlier, you need to know the characteristics of your critical information and where it resides.  That really is the basis of a solid risk based approach anyway.  Secondly you need to develop a program that assigns a risk designation to all positions based upon their access to and control over critical information.  (The program should also include screening criteria but that is another post.) Third you need to audit access to critical information once you know what you need to be watching and who has the right to access it. (You can’t realistically watch everything so limit your scope).  Fourth you need a way to manage all of this additional information so that it can be useful and not simply a waste of time and money. 

One final note – don’t forget or neglect to put these controls in place for your IT staff.  They often have access to most, if not all, of the critical information in any organization simply due to the nature of their jobs.  While a disgruntled sales person may make off with a list of customers, a disgruntled member of the IT staff can cause far greater damage as was illustrated by the aforementioned Terry Childs case.    

Layoffs aren’t pretty and while we feel for those who are laid off we are still responsible for protecting our company’s information.  We shouldn’t blind ourselves to the risk posed by those unfortunate enough to be laid off.  Remember it’s not personal, just business.

Tags: auditing, Britain, Bureau of Labor Statistics, Department of Labor, disabled accounts, disgruntled employees, Europe, Germany, information categorization, it's not personal - just business, Japan, jobless, laid off, layoffs, log management, position categorization, termination, Terry Childs, unemployment, United Kingdom

Now I do realize that I run the risk of sounding like a broken record with this post but I think it will underscore a point as well as provide a basis for further posts on proactive security. 

I subscribe to the Data Loss Digest put out by DataLossDB.org.  While I don’t always have time to peruse it daily, I do go back and look through the messages from time to time.  I was doing so today when two news stories jumped out at me as good examples to use here on the blog.   While both of these stories dealt with data breaches and the way that they were handled.  They also speak to how being proactive can help when disaster strikes.

Our first story is about a missing hard drive that may contain the names, addresses, passport numbers, dates of birth and driving license details of 100,000 individuals who are employees of the UK Ministry of Defense.  This number constitutes about half of the UK’s armed forces.  See:

EDS loses unencrypted Armed-Forces Data and

Lost MoD drive hadn’t required encryption says EDS

In an interview on BBC Radio 5’s “Drive” program, the managing director of EDS (Defense) in the UK, Sir Robert Fry told the BBS’s Anita Anand:

“The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defense work, when it sits inside a secure site.”

Now I have no doubt that what Sir Fry told the reporter is true but that is little comfort to the 100,000 individuals who’s information has gone missing. 

Compare this story to the loss of a laptop containing the personal details of 100,000 National Rail and British Transport Police pension program.  That laptop was stolen from a public place from a Deloitte employee.  

See: Pension Data was on Stolen Laptop

Now the first quote that you see from Deloitte was that there was a “very  low risk” of the details being accessed.  “Yeah, right” was my first impression but as you read on the article goes on:

“In a statement, the company said the laptop was protected by a number of security measures, including start-up and operating system passwords and data encryption. 

It said the theft had happened despite employees being issued with guidelines to pay close attention to their laptops in public places.”

For the sake of full disclosure I must admit that I am a Deloitte Alumnus.  As one, I can report that the company’s statement is true.  Our laptops were encrypted and they do put in place quite a few security measures to protect their client’s data over and above what I’ve found as normal in many companies.  In fact during my time there I was very impressed with the lengths they went to in order to protect their own as well as client data. 

My point wasn’t to praise Deloitte however.  It was to point out that while both cases involved a data breach they can be interpreted in two different ways.  On one hand you have a company that is trying to justify why certain security measures weren’t taken and on the other hand you have a company that is telling you that they had instituted multiple security measures that are intended to safeguard the information even though it has left the companies control. 

If I read these stories and try to put myself in the place of one of the individuals whose information was lost I come away with two different feelings.  On one hand I read the article and don’t feel any better that my information has been lost, in fact I feel worse – I’ve just been given the “pass the blame” answer.  On the other hand I feel better about the loss (not that I’m happy, just mollified) because it appears as if prudent security measures have been taken to secure the information on the laptop. 

Taking a proactive stance on managing the risk to information and implementing sound security measures is just good business.  What executive wants to be put on the spot by reporters having to answer questions as to why something wasn’t done?  Isn’t it a much better place to be in to inform every one of the efforts that a company has taken to go above and beyond in protecting its customer’s data?  In today’s tough economic times it is a prudent company that takes proactive measures to maintain the competitive edge when the inevitable happens.   

Tags: Anita Anand, BBC, Data Breach, Data Loss Digest, Deloitte, EDS, Ministry of Defense, National Rail and British Transport Police, Pension, Sir Robert Fry, stolen hard drive, stolen laptop, UK, United Kingdom