Thursday, February 19, 2009

Don't give them a reason to fire you

Someone I know is currently being "done" for potential data theft. I should note the potentially biased and subjective view on my part given I know this person but I'll try to maintain some level of objectivity.

This person is currently suspended and under investigation following an incident. What did this person do wrong? Their mistake was simply to be ignorant rather than intentionally do anything malicious.

Those of us in information security know better than to copy and print a bunch of stuff (unless there's a solid business justification to do it) because any organisation with an adequate security team will start wondering what the heck you're doing. Unfortunately, most people are not in the information security profession so it's not as "common sense" as we may all think it is.

This person decided to talk to me because I'm the "security guy". They asked me what they should do. My answer was to just tell the truth because they weren't actually trying to do anything malicious. This person didn't even know how to write files to a DVD a few months ago let alone know what computing-related activities could be deemed as inappropriate.

Consider these points:
  1. Most people in the world are not security geeks. Heck, most aren't even technology literate to the standard most of us assume is in place.
  2. If employees are simply told what they should not be doing and that they can potentially be monitored, they will be more wary about being perceived as doing the wrong thing. In other words, they will be more vigilant about their behaviour because they've been educated. It also means that companies will have more resources available to catch the people actually trying to do the wrong thing.

I won't divulge too much about the incident for obvious reasons (so any specifics regarding the actual incident stops right now) but I do have an opinion on what the root cause of this incident was:

Lack of security awareness training on the part of the organisation in question.

This organisation that this person works for is a large multi-national. I won't mention what industry but it's one where there's copious amounts of sensitive data lying around. So it doesn't surprise me that they have some level of monitoring in place. It is the responsibility of each and every organisation to make sure employees are properly trained in a basic level of information security awareness. It's not good enough that it says what they should not be doing somewhere in the fine print of their employment contract because no one ever reads those things.

In other words, when an employee is being pulled up for a potential security incident, it is the organisation's fault if they did not ensure that all employees were made aware of adequate behaviour when dealing with company data and information. For those wondering, no this person's soon to be ex-employer does not do information security awareness training. I'm guessing it's because employees cannot make the company money while they are being trained in non-core business related activities.

There's actually an additional dimension to this whole episode. Like many organisations in the world today, they are undergoing a round of redundancies. This person was probably already on that list (this is what they tell me), but now it's even worse. They are suspended pending the investigation. And there's no doubt that if this person is cleared, it's "bye bye" anyway.

The problem is that as with any redundancy, there is a severance package to make things slightly easier. But guess what someone dismissed for misconduct gets? That's right, absolutely nothing. So now the situation is worse. Not only is this person being made redundant, they will probably not get their redundancy package because of this so called "misconduct". Way to go big corporation. Turn up the investigations and justify not paying people by saying they attempted to steal a bunch of sensitive information.

When people are scared about being put on the chopping block, what's their first instinct? That's right, they go through their systems and back up all their personal things. We can argue that there should not be any personal things on company assets, but it gets very difficult especially if you have worked for a company for some time.

Ones with more sense don't touch any company material. But there are those who aren't actually trying to steal anything but simply think certain documents are useful to have in their "kit-bag". You know what I'm talking about: "cheat sheets", document templates and the like. This is all too common an occurence and is actually part of the reason there's a so-called "data leakage" industry. It's commonly termed "inadvertant leakage of information". The assumption that it's not harmful to copy certain things if there is no malicious intent is an incorrect assumption on the employee's part, but they don't know any better. Once again, education and awareness.

The more common problem lies with the information where there's a fuzzy line between whether something is work-related or not. Generic education materials are a good example. The company could argue that it's their property even if they did not create it, but individuals typically want all the education they can get their hands on. After all, they're going to potentially need it to find their next job. If you're not sure, just don't take it.

While companies are busy investigating innocent (but rather ignorant) individuals for potential data theft, people with more malicious intents could possibly get off unscathed because there may not be adequate resources to investigate them or even notice they've done anything. In fact, if someone has malicious intent, they probably did some level of planning to make themselves more difficult to catch. So companies don't have any chance of discovering anything's happened if they don't have adequate resources available. And if they are off investigating anyone who printed anything or copied some files to a USB drive, they are going to run out of resources rather quickly.

Doesn't really matter though Mr. CEO, does it? Think of all the money you're saving by not having to pay out these pesky redundancy packages!

As for this person, the investigation is pending. They have told the truth, handed everything over and now just has to wait. Don't make the same mistake because of ignorance.

No comments: