BreachExchange mailing list archives
Departing Employees Are Security Horror
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 23 Oct 2013 01:02:01 -0600
http://online.wsj.com/news/articles/SB10001424052702303442004579123412020578896 Information theft by departing employees isn't what it used to be—it's much easier. But there are ways for companies to guard against it. Workers who wanted to take confidential corporate information with them when they left a company used to have to sneak paper documents out the door. Now, in a few clicks, corporate secrets can be downloaded to a mobile device or uploaded to an online storage service. In one recent example, Zynga Inc. and Kixeye Inc., competing developers of online games, settled out of court a suit in which Zynga claimed that one of its former employees uploaded 760 Zynga files to a Dropbox account just before he left the company and went to work at Kixeye. The employee, Alan Patmore, apologized in a statement for "copying and taking Zynga confidential information when I resigned from Zynga." Most theft of this kind goes unreported, but it is rampant. Half the employees recently surveyed by the Ponemon Institute and Symantec Corp., a maker of information-security software, said they had taken sensitive business documents with them when they changed jobs. To prevent such theft, it's important for companies to first understand what data they're trying to protect and where it resides, says George J. Silowash, a cybersecurity analyst at the CERT Insider Threat Center at Carnegie Mellon University's Software Engineering Institute. Sensitive information tends to be scattered among departments or business units, sometimes in different computer systems, and many companies don't have a comprehensive record of the data they hold. Next, it's important to know what access every employee has to company information, says Earl Perkins, a research analyst at Gartner Inc., so that access to confidential information can be revoked when an employee leaves the company. Ideally, revoking that access should happen automatically, he says. Data-loss prevention software from Symantec, Websense Inc., EMC Corp.'s RSA division and others can help companies keep track of sensitive information. The software inspects data content and, based on policies the company creates, blocks certain information from leaving the company. Gartner estimates the market for this type of software will total $670 million this year, up from $300 million in 2010. Finally, it's crucial that IT security managers communicate with the human-resources department so they are aware of pending layoffs or other personnel issues that might lead to employee departures. "The simplest thing companies can do is to make sure there is a good communication path between human resources and IT security staff," says Patrick Reidy, former chief information-security officer at the Federal Bureau of Investigation, who now holds the same post at Computer Sciences Corp. But companies should have legal or privacy experts make sure human resources is allowed to share employee information this way, keeping in mind that laws differ in various countries.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Departing Employees Are Security Horror Audrey McNeil (Oct 24)
- Re: Departing Employees Are Security Horror Al Mac Wow (Oct 25)