Information risk managers have come up with a practical checklist for companies and organisations under threat from IT security breaches during the recession.
Faced with redundancy and pay-cuts, even the most loyal employees can decide to copy and take with them sensitive information. They may offer it to future employers to give them a competitive advantage.
Amethyst Risk Management – which works with central government and the private sector – has produced a guide to help companies reduce information security risks in a credit crisis. Consultant Ross Thomson said: “The vast majority of employees are honest and loyal, but if they fear being made redundant, they may start to squirrel away information to take to a future employer.
“Companies always need a good grasp of who has access to what information. It’s not always the case. Some firms may also be tempted to reduce spending on information security in a downturn. But this could have disastrous consequences.”
The checklist starts by identifying information assets useful to competitors that could, if compromised, disadvantage or even endanger the company. For instance:
Client lists.
Contract negotiations.
Pricing policy.
Future plans.
Designs.
Financial strength.
THREATS TO THE SECURITY OF AN ORGANISATION’S INFORMATION CAN COME FROM:
Employees leaving, with or without malice.
Competitors seeking advantage.
Employers taking information security risks because of economic pressures, eg. non-compliance with legal requirements and not filling or re-assigning key information security posts.
VULNERABILITIES THAT EMPLOYEES CAN EXPLOIT INCLUDE:
Availability and uncontrolled use of portable storage devices and electronic media – mobile phones, laptops, USB drives, CDs, DVDs, personal media players.
Ability to export sensitive information through company communication channels – Email, VPN connections, instant messaging and lack of access controls to sensitive information.
Lack of clear HR policies – terms and conditions of employment that do not restrict or prevent future actions that may damage the company, incoherent joining and leaving procedures.
MITIGATING CONTROLS THAT WILL IMPROVE THE SITUATION INCLUDE:
Implementing restrictions on use of electronic media.
Requiring the HR department to liaise with IT to ensure access rights are removed when an employee leaves.
Ensuring physical devices including mobiles and laptops are recovered when employees leave the organisation.
Controlling and restricting use of external communication channels, eg. instant messaging.
Ensuring access control to sensitive information is based on a “need to know” policy.
Inform and demonstrate that logging, monitoring and auditing is being conducted to identify suspicious activity, specifically export of sensitive information via email or saved to electronic media.
Ensure Terms and Conditions of employment are comprehensive and HR have a clear joining and leaving policy.
Thomson added: “The list is by no means exhaustive but it’s surprising how many companies overlook these basic precautions. For instance, every week we hear of staff whose access rights and even building entry passes still operate weeks after they have left the company, giving them access to valuable information and expensive equipment.
“To guard against loss, companies should at the very least assess the risks they are taking and if possible conduct a comprehensive gap analysis against industry best practice. It could keep them in business and save them millions of pounds.”
About Amethyst Risk Management
The IT security company has clients including the Ministry of Defence, Home Office, Police and criminal justice system.
