A case is currently making its way through the court system that I believe should cause all corporate executives to reexamine their data security protocols.
The former IT manager for a company in the Chicago area has been charged with several counts of computer fraud and illegal wire interception. The U.S. Attorney’s Office alleges that after his employment ended, the accused accessed his former employer’s network and email servers, where he retrieved sensitive information that he made available to individuals outside the firm.
According to the indictment, the accused “caused significant damage” to the firm’s servers while making public highly-sensitive corporate information including salary and employment details, along with corporate information that could benefit competitors.
For the sake of argument, let’s assume that when the IT manager’s employment ended, his account was promptly deactivated. This is the standard procedure in most firms, but just shutting down the known user account and assuming everything is fine is not enough – especially when dealing with someone who has had admin-level privileges and has considerable inside knowledge of your systems.
If the account was indeed closed appropriately, then the accused had already established an alternative “back door” account that was unknown to the firm. As the IT manager, this would be a relatively easy thing to do and keep secret.
Now I know we are making several assumptions here but I’m doing this to illustrate an important point – how do you protect your critical systems from the deliberate – or even simply negligent – actions of an employee?
An effective approach used by a growing number of firms is to augment your existing in-house IT services with an outside firm that specializes in reviewing your current data security practices. This review can be used to help identify potential security gaps, review management controls, and assess overall policy effectiveness.
The advantage of engaging a specialty IT firm is that it provides an impartial review of your security measures. This is not to suggest that you cannot trust your staff, but when individuals are responsible for auditing their own work, it does leave the door open for potential abuse. Bringing in an outside firm, on the other hand, ensures you receive an accurate, unvarnished assessment of the state of your IT environment.
Read the full article here on the FBI website.