For a brief 11 minutes in November 2017, the president’s prolific Twitter feed disappeared. The company soon revealed the account was taken offline by a contractor in customer support of the trust and safety division on his last day of work. He says he was simply responding to a report against the account, so he started the process to deactivate it and left. “I didn’t hack anyone. I didn’t do anything that I was not authorized to do,” he told TechCrunch.
Even though it didn’t involve office security or employee confidentiality, such a high profile takedown prompted Twitter’s CEO Jack Dorsey to admit that it should never have been possible and the company was implementing safeguards to prevent anything like it from happening again.
1. Watch out: The worst breaches come from within
Although some might argue that taking down the president’s primary channel of communication would constitute a disaster, other companies have suffered the loss of data and dollars at the hands of employees who leave and take a chunk of intel with them. A recent study by Verizon revealed that 77 percent of data breaches involved an insider.
Among some of the worst include an incident at Snapchat, where a social engineer perpetrated a phishing scam by pretending to be CEO Evan Spiegel and exposed the payroll information of some 700 employees. In a similar incident, an employee of the City of Calgary sent an email to another employee sharing the confidential information of more than 3,700 city workers. The city is now being sued for $92.9 million for the breach. Back in 2014, communications and operations weren’t functioning normally for a month, and data was permanently lost at West Virginia-based oil and gas company EnerVest. The network engineer responsible for the takedown had just found out he was being fired and reset the company servers to their original factory settings.
2. Be aware that stolen data adds up
Office security and employee confidentiality are at risk in any business. Between personal and private staff information, like social security numbers and medical records to customer credit card information, intellectual property, and other proprietary information, there’s a vast amount of data for a business to protect. A majority of the more than 1,000 respondents (64 percent) to a survey by XpertHR viewed data security and the threat of a cyber breach as very or extremely challenging. Ponemon Institute research puts the cost to resolve a breach at $156 per record, while system glitches cost $128 per record, and human error or negligence is $126 per record. That adds up quickly.
There are plenty of ways to shore up security within the office environment, such as training and encouraging best practices early and often or using mobile apps to ensure that staffers who bring their own devices or use the company’s devices outside of work can stay safe. That said, people can be unpredictable. The best protection may be making a few policy changes that will withstand the wrath of those leaving against their will or employees exiting in the best of circumstances but still have access to a lot of sensitive data.
3. Create policies and running keep lists
In an interview with CSO Online, Biscom CEO Bill Ho said that a recent poll indicated that 84 percent of employees claimed their company had no policy to prevent them from taking proprietary information. To prevent this, he suggests creating clear and comprehensive policies that outline exactly what information, data, and documents are company property. Appropriate legal agreements should be in place for contractors, as well, especially if they create any intellectual property while on the job. Ramifications for taking anything that belongs to the company should also be clearly spelled out.
Ho adds that keeping an updated spreadsheet of each worker’s access to devices and information should help quickly identify and cut off access if and when someone leaves. Taking inventory of potential threats should include office hardware. IDC reports that printers are particularly vulnerable to attack because they’re generally accessible to the entire staff. Some secure printer models have a built-in capability to detect and stop threats and self-heal with security features.
4. Design a secure exit interview
The exit interview should be an opportunity to require the employee who’s leaving to turn over any access they have to information and devices. In an interview with the Society for Human Resource Management, Alvaro Hoyas, CISO at One Login, said now is the time for IT and HR to work in concert. If someone is terminated through an HR platform, IT can step in quickly and cut off any token generators or other devices that might authenticate and allow them to connect to the network. If the company uses any third-party vendors, partners, or providers, they need to take similar security measures.
Ho said that nearly a quarter (22 percent) of respondents to the survey said they would be more likely to steal company information if they were fired, so companies should have an emergency response plan in place. Ho contended, “Proactivity around ‘when’ instead of ‘if’ will prepare your company in the event of an emergency and can help save your company from big losses.”