Departing Employees Are Security Horror

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://online.wsj.com/news/articles/SB10001424052702303442004579123412020578896

Information theft by departing employees isn't what it used to be—it's much
easier. But there are ways for companies to guard against it.

Workers who wanted to take confidential corporate information with them
when they left a company used to have to sneak paper documents out the
door. Now, in a few clicks, corporate secrets can be downloaded to a mobile
device or uploaded to an online storage service.

In one recent example, Zynga Inc. and Kixeye Inc., competing developers of
online games, settled out of court a suit in which Zynga claimed that one
of its former employees uploaded 760 Zynga files to a Dropbox account just
before he left the company and went to work at Kixeye. The employee, Alan
Patmore, apologized in a statement for "copying and taking Zynga
confidential information when I resigned from Zynga."

Most theft of this kind goes unreported, but it is rampant. Half the
employees recently surveyed by the Ponemon Institute and Symantec Corp., a
maker of information-security software, said they had taken sensitive
business documents with them when they changed jobs.

To prevent such theft, it's important for companies to first understand
what data they're trying to protect and where it resides, says George J.
Silowash, a cybersecurity analyst at the CERT Insider Threat Center at
Carnegie Mellon University's Software Engineering Institute. Sensitive
information tends to be scattered among departments or business units,
sometimes in different computer systems, and many companies don't have a
comprehensive record of the data they hold.

Next, it's important to know what access every employee has to company
information, says Earl Perkins, a research analyst at Gartner Inc., so that
access to confidential information can be revoked when an employee leaves
the company. Ideally, revoking that access should happen automatically, he
says.

Data-loss prevention software from Symantec, Websense Inc., EMC Corp.'s RSA
division and others can help companies keep track of sensitive information.
The software inspects data content and, based on policies the company
creates, blocks certain information from leaving the company. Gartner
estimates the market for this type of software will total $670 million this
year, up from $300 million in 2010.

Finally, it's crucial that IT security managers communicate with the
human-resources department so they are aware of pending layoffs or other
personnel issues that might lead to employee departures. "The simplest
thing companies can do is to make sure there is a good communication path
between human resources and IT security staff," says Patrick Reidy, former
chief information-security officer at the Federal Bureau of Investigation,
who now holds the same post at Computer Sciences Corp.

But companies should have legal or privacy experts make sure human
resources is allowed to share employee information this way, keeping in
mind that laws differ in various countries.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.