4 types of employees can put your security at risk
By now you’ve heard lots about Edward Snowden, the former National Security Agency contractor accused of leaking top-secret information about government surveillance programs to the media, and Chelsea Manning, the former Army intelligence analyst convicted of leaking reams of classified material to WikiLeaks.
But have you heard about the four stolen laptops containing personal information on more than 4 million patients of an Illinois health care provider? The Boston law firm employee who lost on a bus a USB drive containing medical information on 160 clients in a medical-malpractice case? The CBS Morning News segment on Super Bowl security that inadvertently broadcast the security center’s password to the world?
Those were just some of the more obscure examples of recent data breaches cited during the Techshow presentation “War Stories of Staff Use of Unapproved Data Services & Devices.” Co-presenters John Jelderks, director of information technology at the Chicago firm Barack Ferrazzano Kirschbaum & Nagelberg, and David G. Ries, an environmental litigator and technology lawyer at Clark Hill Thorp Reed in Pittsburgh, talked about the insider threat posed to workplaces by “rogue” employees. And they made a few suggestions about what law firms can and should be doing to address it.
The insider threat to workplace security is a serious—and growing—problem, Jelderks and Ries said. They cited the results of a recent survey showing that 41 percent of IT security professionals regard rogue employees as the biggest security threat to their organizations. They also cited the 2013 U.S. State of Cybercrime Survey, in which 53 percent of the participants reported having experienced an “internal incident.”
There are four types of employees who put the workplace at risk, according to the pair:
• The security softie, who knows very little about security and poses a threat by using a work computer at home or letting family members use it.
• The gadget geek, who comes to work armed with a variety of devices that get plugged into the work PC.
• The squatter, who uses company IT resources inappropriately.
• The saboteur, who will hack into areas with restricted access or infect the network.
Jelderks said insider threats come from many sources: maliciousness, disgruntled employees, rogue technology, lost devices, untrained staff and simple carelessness.
“I can’t tell you how many times I’ve had an attorney call me and say, ‘I’ve lost my device. Can you disable it?’ ” he said.
Too often, though, he said, the call comes long after the device has been lost and the data on it could already have been compromised.
Ries stressed the importance of encrypting the data stored on any laptop, smartphone or mobile device. “I can’t stress enough how critical that is,” he said. “All portable devices should be encrypted.”
In closing, both men offered their top five tips for mitigating insider threats.
Jelderks’ advice:
1. Set up a communications and training program so employees know all of the do’s and don’ts when it comes to technology.
2. Make sure the IT staff keeps all systems up to date.
3. Have a security assessment performed by an outside vendor.
4. Encrypt all data.
5. Insist that employees regularly change passwords.
Ries’ advice:
1. Implement a comprehensive data security program.
2. Practice constant security awareness.
3. Offer ongoing security training to employees.
4. Implement limited-access and least-privilege policies.
5. Make sure that all information placed in the hands of third parties is secured.
“That’s a big part of the insider threat that’s often neglected or overlooked,” Ries added.
