paulmudgett.com

It never fails. Information security controls are immediately put into place AFTER a significant security incident has happened.  This is true even when these controls are reasonable to have in place and could have prevented the incident from happening at all.   Often, decisions made after an incident are knee-jerk reactions rather than business-minded protections.

As a case in point, the Department of Defense issued a new ban on removable media being used on classified machines in response to the WikiLeaks release of diplomatic cables.  Completely reactive.  The point here isn’t the effectiveness of the control but the timing.

For those who haven’t followed the WikiLeaks drama, here is a tidbit taken from a December 10, 2010 CNN article that can be applied to many organizations.

“Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.”

Do you have a Private Manning in your organization who has access to sensitive information?  Can he easily take that information out of your environment and sell it to the highest bidder?  Why not consider that risk and address it before it becomes an issue?

The culprit often lies in the attitude of executive leadership.   How often have you heard the following?

• “We’ve been doing things this way for years and haven’t had a breach.”  (that you know of)

• “Show me the hard dollar return on investment before I sign off on these security thingies.”  (BTW, since most security implementations aren’t revenue generating, a ROI will always be zero.)

• “It’s not convenient.”

These excuses need to be replaced with a desire to take ownership of information you have.  The focus needs to be on protecting your intellectual property and maintaining competitive advantage.  It should examine the risks to information and appropriate measures to reduce risk without impacting the functions of the business.

Controls don’t have to be expensive or fancy.  They just need to be effective.  Understand and take control of your information before an incident forces rushed decisions that impact your ability to conduct business.

Where is your sensitive information?

Many times the answer I hear is… “it’s stored in our database” but that unfortunately is only a partial answer.   If you look at the business process surrounding access to information, you may be surprised at where sensitive information ends up.   Have you considered:

Printed documents – Hard copy printouts of reports, spreadsheets, e-mail or other documents containing sensitive information have a way of being thrown in the trash without being shredded.  They get left out on desks for anybody to see, including enlightened janitorial staff.  What about the printer or copy machine hard drive that may be storing information that slips outside the walls of your facility when this equipment gets surplussed.

Forwarded E-mail – Ever hear this?  “It’s easier to work from home if I just send these spreadsheets with social security numbers as an attachment to my home e-mail account.”

Laptops -  The portability of laptops also carries with it the problem of portability of information.  Without encryption, the ease of stealing information from a “smash and grab” attack from the backseat of your car becomes quite an issue.  Some State laws, like Nevada, require the encryption of personally identifiable information on removable media… this includes laptops.

Removable Media -  It’s so easy to just move this information from point to point using a thumb drive.  The large storage capacity of these devices, not to mention USB hard drives, makes it a considerable risk point for sensitive information sneaking out of an otherwise controlled environment.

There are probably many other examples but the point is to not develop tunnel vision when considering strategies to protect sensitive information.  Getting fixated on the most obvious point of data storage is a bad move.  Think about how information is used in your organization.  Who needs and has access to it?  How are they sending the information to coworkers and business partners?

It’s important to consider ALL the possible ways information can be compromised.  You can bet the bad guys have already considered it.

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Social networking has enhanced collaboration for many companies but it creates a risk of employees sharing intellectual property or other strategically important company information with outsiders.  This certainly places an increased burden on strategically aligned CSO’s who must balance the need for security with business goals and objectives.

The Global State of Information Security survey produced by Price-Waterhouse-Coopers in conjunction with CIO magazine, demonstrated a growing concern over the risks associated with social networking.  While monitoring technologies can help within the company borders, access to social networking sites such as Facebook, Twitter, and Myspace fall clearly outside the watchful eye of security technology.

This then becomes a cultural issue tackled primarily with users education and security awareness programs that emphasize that information provided on social networks is in the public domain.

Bill Brenner, Senior Editor with CSO Magazine published the “Seven Deadly Sins of Social Networking Security” back in June of 2009.  Brenner lists these social networking sins as follows:

1.  Over-sharing company activities

2.  Mixing personal with professional

3.  Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage

4.  Believing he/she who dies with the most connections wins

5.  Password sloth

6.  Trigger finger (clicking everything, especially on Facebook)

7.  Endangering yourself and others.

While social media is a fantastic method to share information and collaborate, it’s important to consider the content of what you’re posting to avoid risking your company and more importantly, yourself.   Remember the final 5 tweets of Harold Wigginbottom , Tech-Savvy CEO:

CSO Magazine, May 27, 2009

Help your employees.  Help yourself.

Let’s look at a very simple risk equation:

Risk =  Threat x Vulnerability

Now let’s apply that formula to a disgruntled employee.   You have an angry employee (threat) who has access to sensitive company information based on their role in the organization (vulnerability).  The combination of these two creates a situation where sensitive information, say the “secret recipe”, can potentially be disclosed to competitors (risk).  This could have very serious consequences to your competitive advantage, your shareholders, your market share, etc.

The typical security response is to deploy preventive, detective, and corrective controls that hopefully reduce the risk by mitigating the threat and/or vulnerability.  Most often, the controls lean heavily towards detection which is an after-the-fact, reactive response to the problem.  I believe the root cause of this issue lies with the management of an organization rather than the employee.  Here’s why.

I’ve yet to see a person start a new job saying “this place sucks” or “I hate it here”.  Instead, these new employees are often the most enthusiastic and engaged members of your workforce.  Something has to occur that shifts this positive behavior to disengaged and/or destructive action.  Something changes the attitude of the employee.  I contend that it is the systems developed by management that are responsible for the growth and development of disgruntled behavior in the workplace.

Systems for employee review are often filled with hidden agendas and surprises designed to “put the employee in their place”.   Systems are designed to punish failure by taking power away from “empowered” employees who didn’t meet performance expectations (that probably weren’t defined well anyway).  Systems are designed to give responsibility but no authority to act.  It is these types of unfortunately common management systems that set the stage for the development of disgruntled employees.

So, doesn’t it make sense to mitigate or eliminate the risk associated with the disgruntled employee threat by fixing systems that spawn that type of dissatisfaction?  I’m by no means saying that employees rule the roost or that you won’t have an employee unhappy over a disagreement.  What I am saying is by treating employees fairly, enabling them to be successful, helping them learn from mistakes rather than punish them, and creating an environment where ideas are freely discussed without fear will go a long way toward eliminating this threat to information security.

Remember the equation:

Risk =  Threat x Vulnerability

Without the threat, there is no risk.