The death of Caesar at the hands of the senators. Painting by Vincenzo Camuccini, 1798. “Et tu, Brute?” meaning “Even you, Brutus?” is a Latin phrase often used poetically to represent the last words of Roman Dictator Julius Caesar to his friend Marcus Brutus who betrayed him at the moment of his assassination.
Last week within the span of a day, I heard from 3 companies who got breached. The common thread is that all of the breaches were inside jobs. When I say inside jobs, I mean one of their own trusted employees created the data breach.
With one of these companies, an employee was terminated for sleeping on the job but later it was discovered that he had installed several back doors (a method to work around conventional authentication mechanisms). He had full access to intellectual property and the ability to manipulate and control the IT systems. Luckily, the company had developed an effective incident response readiness (IRR) program and was able to limit the impact of the former employee turned rogue. We hear a lot about China hacking the U.S., but the inside threat is still real.
A shockingly more recent study showed that over half of fired employees steal company data! The problem is not always disgruntled employees. In further research, they found that 62 percent of employees think it is acceptable to transfer corporate data outside the company on personal devices and cloud services. The majority of this externally transferred data never gets deleted, leaving it vulnerable to data leaks. While the external threats have increased dramatically in the last decade, let’s not forget the folks with easy access right under our noses, the frenemy within.
Does your company have an employee policy regarding intellectual property?
I work for a major area University. One of our department administrators, who legitimately ha access to payroll and financial information, would routinely upload very sensitive information to thumb drives and/or cloud storage for working from home. She was not using any information maliciously, but was simply ignorant to the possibilities of that information being hacked. Luckily, a supervisor put an end to the practice.
Years ago, at a company I was then with, how well I remember the time an IT clerk printed out company-wide payroll information (on green bar – who remembers green bar?), and handed off the printout to another employee, as both were attempting to exploit the information. Luckily, a company IT executive saw the large printout on the back seat of one of the employee’s car. Both were fired, and IT access privileges were changed; a change that never should have been necessary.
Ponder that old-school scenario, and now consider the current state of on-going international hacking attacks. Unfortunately, too many corporations and institutions still react after the fact.
Thank you for your insightful response to my post. The way I look at IT Security is that we are dealing with a needle in a haystack yet that needle is constantly moving. The threats are constantly changing and increasing. Many companies are way over their heads now but lately IT security is becoming a priority for executives. Again, thanks for the feedback.
Business Development Manager and Sales Team Leader