Wednesday, October 22, 2008

How companies should protect themselves from dishonest employees


Bill Detwiler has a Tech Republic video blog entry, “Five Ways to Keep Your Own IT Staff from Stealing Company Secrets.” The 5 minute film may be viewed here. Detwiler requests user feedback at his “ITdojo” link here.

One of the most important observations is that security is totally impersonal. He talks about the “rule of least privilege” and insists that programmers not be given any more production access than absolutely necessary, and when it is necessary, it should be temporary. He also discusses rapid rotation of passwords in “auto repositories”. The number of employees with administrative domain access should be limited by job necessity and should be in a separate area. A company should practice “separation of functions” in doing its work. It should also be impossible for administrators to change passwords or for people to change sensitive data without other personnel in separate areas and without contact with the employees being able to monitor it.

When I was working in mainframe IT, there were programmers who felt that security was a pain and thought that the solution was to have all programmers bonded. But the practical risk to data loss and concern about it has risen astronomically since about 2000 with many reported breaches of supposedly secure customer data in many organizations.

Companies need to be more careful about possible conflicts of interest than in the past, and that could even lead to probing employees' off-job online activity for conflicts (related to the controversial "reputation defense" problem often mentioned here).

Detwiler also suggests that when an employee is terminated (or even given notice of layoff for budgetary and non for performance reasons) his or her access should be disabled immediately and the person should be quickly escorted away from the work areas, processed through Human Resources for severance and outplacement benefits, and then leave the area,

I was on the phone with an internal client when I got a Netware message on Dec. 13, 2001 that my account had been “disabled.” My own IT career, as I knew it at the time had, after 31 years of stability (only one other layoff, way back in 1971 – and I would actually return to that company, in a way, later), taken a cardiac arrest at age 58. There was no defibrillator. I did finish the phone call with the client.

No comments: