According to a recent study commissioned by Symantec Corp. and conducted by Ponemon Institute, 59% of nearly 1,000 former employees surveyed admitted to stealing data from their employers.
If an employee believes he or she may be laid off, passed over for a raise, or asked to do more for less, they may be compelled to cause damage by deleting or stealing data. Are you putting measures in place to maintain your customers' security amid layoffs? Could you tell whether something had been stolen or damaged? Could you assist them in legal proceedings or would you become a defendant for failing to protect them?
Unfortunately, the economic hardship that often accompanies a layoff causes people to take actions they might not otherwise take, such as stealing client lists, business plans or other vital intellectual property. They might try to start a business of their own using data stolen from a customer company, on your watch. One of my clients is dealing with a former employee who wiped the organization's entire server farm clean. Never underestimate the ability of disgruntled current or former employees to commit criminal or unethical acts.
This problem stems from lack of awareness on the part of employers and a sense of entitlement on the part of the employees. Employers trust their employees and business partners far too much. They want to believe their employees and partners have their best interests in mind. They assume they can be trusted to do what is right for the company and not for themselves. Unfortunately, this is not always the case.
IT professionals often allow convenience to define security protocols rather than fiduciary and regulatory prudence. This is not to say that they are lazy necessarily, but risk adverse and are often unwilling to take the political risks or push business leaders for more stringent security application and funding. Most people want to be liked by their co-workers, and sometimes it is easier to be the nice guy in lieu of doing what is right.
This is where you come into the picture. It is the job of a VAR or integrator to get customers to take action. You must make them understand the risks of doing nothing. Identify relevant examples of others that have failed to take action. Use your own experience and anecdotes about fines, lawsuits, criminal investigations and other ramifications, from a client being in denial to getting bad advice. If you do not have your own, look for news stories about companies that have been damaged by inaction. It is a fundamental responsibility for you as their trusted advisor to get through to them.
More than ever before, clients who fail to take reasonable steps to defend their employee and client data face potentially organization-killing repercussions. Let's use the Health Insurance Portability and Accountability Act (HIPAA) as an example. The U.S. Department of Justice offered clarification in 2005 about who can be held criminally liable under HIPAA. Covered entities and specified individuals, whom "knowingly" obtain or disclose individually identifiable health information, face a fine up to $50,000, and imprisonment up to one year. For offenses committed under false pretenses, penalties are up to a $100,000 fine and five years in prison. If there is intent to sell, transfer or otherwise use the data for commercial purposes, personal gain or to do malicious harm, the penalties rise to $250,000, and 10 years in prison.
If customers are unwilling to play by the rules, you should consider walking away in defense of your reputation. If you continue to work with them and something does go wrong, even if you did everything correctly, your organization may find itself being blamed in superior court and the court of public opinion.
You should protect your client's property like priceless treasure. Here are a few ways to maintain your customers' security amidst layoffs:
- Be sure customers have an independent backup system that cannot be deleted or damaged. If there is a proper backup system that is out of the reach of a saboteur, it helps to limit the amount and permanence of any damage that might be done.
- Get customers to invest in a formal content management and access control system. If employee access rights are limited to need-based actions, then they are also limited in what they can see, steal or destroy. This also is a positive step toward compliance as it addresses myriad privacy and security regulations and is a basic best practice.
- Institute role-based permissions and access monitoring. All content should be associated with a job role. Controlling who sees what, based on need to actually get work done, significantly lowers the exposure of the data. By monitoring the access, you can also have a record of who is seeing what, and when.
- Help the customer's HR department draft an acknowledgment for current and new employees to sign, which states they recognize all company information is proprietary and they will be prosecuted for using it outside of their job. Without this, employees may believe they have permission, and the possibility of the company getting damages in the case of theft or misuse is severely limited.
- Implement monitoring systems that track behaviors indicative of theft or sabotage. For example, look for products that can send alarms when keywords are used. This allows for potential prevention of a theft or attack.
- Devise a plan for employee termination. Know in advance the step that will be taken. It should include issues like lock-out, returning or retaining the employees' personal data, having their checks ready, and having an exit interview. The exit interview should include the employee signing a letter of understanding with regard to company information and property.
- If an employer must provide notice, have them write a check and send the employee on their way. Allowing an employee to linger after notice of termination is a significant opportunity for bitterness and even emotional distress to escalate and result in potentially damaging behavior. It is best to avoid any opportunity for the employee to take any negative action as they exit.
- Above all, assume the best, but plan and scan for the worst.
Few companies understand the dangers presented by disgruntled current or former employees until a worse-case scenario comes to pass. VARs and integrators are on the forefront of this issue, and should ensure customers are not only aware of the dangers, but also are in the best position to defend themselves should they be forced to reduce the size of their workforces.About the author:
Kevin B. McDonald is a recognized technology industry leader and trusted public policy expert. As executive vice president for Alvaka Networks Inc., he is a primary company spokesperson and leads operational and strategic business development. Kevin is a writer and sought-after presenter on technology, governmental and corporate cyber security and public policy. He is a member of the National BOD for Web Wise Kids and chairman of government affairs. Kevin is also on the National Board and Cyber Security committee for TechAmerica. He is chairman of the District Legislative Technology Committees to five state and federal legislators. Kevin is also a current member of the High Tech Crime Consortium. He received the 2008 Tech America Excellence in Government Advocacy and 2008 Web Wise Kids Outstanding Commitment to Children's Online Safety awards. Kevin has done expert interviews in dozens of national and regional publications. Kevin is also the author of the fiction novel, Practically Invisible.