Downturn economy means greater security risks…

People Networking

Business is the practice of economics, and to that point we are now seeing near record setting layoffs as businesses control one of the variables in the mighty Profit and Loss (P&L) Statement.  That is to say, they are trimming costs as they can’t, unlike the government, simply increase profits.  The part of the math that isn’t often reviewed, greatly due to ignorance, is the exposure cost/risk when laying off Information Technology (IT) resources.

Let’s face it, IT is often seen as a Loss and is a service organization within most companies.  We see this in the ideas of outsourcing, downsizing, and the misalignment of ITSLA and COBIT in an effort to justify headcount reductions and sometimes for maintaining headcount.  If given my choice, I would cut project management before cutting operations, but I am not a CIO, and so my option on the matter isn’t really relevant.

Leaving all the politics aside, and not wanting to delve into the “who, what, when, where, and why” of such business decisions, I am instead going to talk a bit about the security risks to a company that are often overlooked when making such decisions.

First, let me outline the risk that needs to be understood.  Who are these employees and what is it that they do for you?  On the surface, they make all the technology zoom along and hopefully work flawlessly.  This alone is a key piece of you doing business the way you currently are accustomed to, but let’s look past the part about your email and financial systems suddenly not working so smoothly and focus more on what it is that these systems have that is a risk to you.  I mentioned Email, and financial systems but then there are H/R systems, customer databases, your proprietary code / Intellectual Property storage systems, file servers, etc.  The IT staff doesn’t just keep them running through pure willpower, their accounts and often-shared super-user accounts are used to perform this work.  In reality, these accounts don’t just provide super-user access to administrative functions, but they also provide full access to all the data stored on all your systems.  Yes, all your data.

So now you understand what is at risk, but how great of a chance is it that something bad will happen?  Well, recently ThreatPost.com ran an article advertising Cyber-Ark’s sixth annual “Threat, Security, and Passwords Survey” which reveals that just under half of the 820 respondents stated the would indeed steal confidential data upon being terminated.  This isn’t a very comforting thought.  Having been the lead investigator in a number of cases where prior employees took and then planned to use such information to harm their former employer, I can say without a doubt this is a real situation in today’s workplace.

But whatever will they do with this data?  Sell it perhaps?  Sure, there are companies, possible competitors both new and old, that might buy such information.  But there are laws and civil torts that could be use to recoup some damages and possibly mend the corporate image if this were to happen.  But let’s look at a more plausible, and much more damaging situation.  Taking a page from the likes of Wikileaks, Anonymous, and LolzSec it isn’t that farfetched to imagine any of the following situations:

  • Financial numbers are released to the public prior to quarterly / annual announcement.
  • Entire Email accounts for the company, or even just the chief officers, are posted online ala Pastbin style.
  • Customer records are posted causing PCI and PII violations. ($$$)
  • Openly posting the shared username / password combinations for the Super-user accounts allowing just about anyone to do whatever they want to your systems.
  • Etc.

Now that is simply the stealing of data, something that is quite real and happens quite often.  But what about misusing their access to permit themselves to continue to access your systems long after their termination?  Sure, you signed that Severance Agreement with them, but who is checking that they aren’t accessing the systems?  Do you even still have someone on staff capable of knowing?

What has failed?  It’s a good question, and the answer ironically enough isn’t that you did what was needed to keep the business afloat.  Instead it’s possibly that you didn’t invest into technologies which autonomously watch out for this kind of activity, nor do you have systems and policies in place that force the change of passwords used by admins upon the dismissal of staff.  Frankly, forcing this to be done very frequently, regardless of dismissals, is a very good practice.

Your issues fall into two buckets: The first, are those that you have laid off or terminated.  IT may be able to tell that a layoff is imminent due to it’s integration with your H/R department not to mention the activity they will see on various systems.  The second, those that are left and in a situation of being understaffed and still tasked with the same amount of work basically develop an “indentured servitude syndrome.”  That is to say, they get very unhappy very quickly having to do the work of the former and larger department while maintaining the same Service Level Agreements (SLAs) with the company.  E.g. you terminated half the email admins, but still demand that all email account work is done within one hour of the request being submitted.  Or, more often, no one can truly take a day off or go on vacation because they are all working from home in the off hours to keep the systems running.

In either case you face disgruntled people who basically have the keys to your kingdom.  They could leave the gates open for marauding hordes to enter your castle, or empty your treasure room without you even noticing it.  But what can you do to help mitigate this?

For the employees that had to be let go, make sure this is something that is done politely, these are professionals you are dealing with after all.  Your security team should also be in the loop enough to know they need to monitor and watch systems a bit more closely as there is a pruning of the staff imminent.  Autonomous systems that monitor system activity and report when out of the ordinary activity is present are probably good investments.  E.g. Suddenly Employee X comes in earlier than normal, stays later, downloads more files or larger amounts of data to their workstation, tries or successfully access data they normally do not, or accesses data they have rights to (due to being admin) but shouldn’t generally access (due to not being in Finance or H/R).  You should also have that same security group manage and confirm that all super-user accounts were changed immediately upon the termination.  The second item, take care of that staff and don’t cut too deeply.  The same monitoring tools can be useful even if used to keep a pulse on the temperament of the staff.  Offer time off, bring in consultants if you need to cover headcount and afford people breathing room, and reward those that are pulling the weight of two or more employees when bonus and review time comes around… or even before then if possible.