There is this IT group* which is very efficient. From the daily humdrums of pulling cables, diagnosing the network and fixing the user’s needs, everything went on smoothly. They even have some regular perks of attending technology symposiums and out of town trips with full allowance.
Until one day, the head of the group received a letter from the Business Software Alliance for software piracy. Further investigation showed that the systems administrator installed a pirated software which was registered over the Internet. Aside from this, the same guy ran a commercial porn site over the corporate server and pulled out around 300 customer credit card accounts from that company’s e-mail server.
When the systems administrator was charged and was put into preemptive suspension, the guy changed all the passwords in all of the company’s network and turned off all of the company’s servers remotely.
Fortunately, we have only made up this story. But what do we want to imply here?
Bulk of the data loss and sabotage comes from insiders rather than outsiders. And most of these companies just kept quiet to avoid embarassment.
But by keeping quiet does not help and can be a fatal mistake. It does not only weed out the bad apples, but it does not address the problem of spending most of your security budget keeping people out when the biggest problem is already on the inside.
It’s possible to respond internally with extra training on where the ethical line is and how — if you’re a manager — to spot those dancing on the wrong side of it. Handled badly — and it’s a delicate balance — a company ends up sounding like it’s accusing all its employees of dishonesty and not affecting the dirty ones at all.
Simpler in concept but harder in execution is data loss protection, which is designed to identify what data needs protecting and does it by keeping track of who should be allowed access to which resources, to what extent and when.
Ok.Windows file and security permissions do this. But how can we be so sure that unauthenticated users cannot have access to these files?
But, DLP, as they say, is really not that effective as it should be. Promising as it is, it can be effective per design, but it is not doing its work properly. Why? Some of the problems are of technical nature. But most of the problem is on the behavioral issue. Bulk of these behavioral issues exist because MIS head does not review the policies and the performance of the software. They are assuming that it is there, installed and running and should be doing its work, but in reality, it is not. MIS should regularly review the performance of the software and make adjustments if necessary. It is like paying for an alarm system which is turned off, and worrying about burglars but leaving the door unlocked.
Every company knows this and has people in HR, management and IT management responsible for managing security risks from both IT and users. Every IT department also knows they have to cover the basics — check the user accounts, please — to have any hope of securing anything, no matter how bulletproof the firewall is.
Most continue not to do it.
So one or two every year shouldn’t be surprised if they walk into some darkened sysadmin lair and find a commercial porn site or DVD with all the customer files since 1987.
For the benefit of the rest of us, though, please don’t keep those cases quiet. Publicizing them might give some other company an example it can use to tighten its own security.
More important, it will give the rest of us something to laugh at.
When you spend days with your head stuck under someone else’s gross desk or in a drop ceiling where you can see rat droppings and hear tiny footsteps behind your head, you need to find some humor somewhere.
Again, the story that we have quoted above is fictional….No need to be alarmed…But it is better to be prepared.