Ex-employees walking out the door with corporate data

The jump in corporate layoffs has exacerbated the issue

I was interested to see the recent Ponemon Institute research that found an alarming 59 percent of employees who lost their jobs last year admitted to stealing confidential company information. This highlights the modern dangers associated with allowing unmanaged access to sensitive company information and then not switching this off when an employee leaves. Whilst companies will stop any ex-employee trying to wheel out filling cabinets full of customer information at the door, we see far more lax security measures when it comes to stopping access to the same information when held electronically.

The unprecedented layoffs occurring right now have exacerbated the issue, with companies running into the problem of having numerous zombie accounts - those left open to former employees or employees who have changed jobs. Zombie accounts are the result of a gap between the time an employee leaves a company or changes job function and when access to their accounts is revoked. This lag time can also leave usernames and passwords open to being shared or sold to the highest bidder, giving cyber-criminals access to sensitive information without the need for sophisticated hacking techniques.

The problem can be solved through the implementation of Access and Compliance Management best practices to help companies safeguard their data and prevent the dreaded zombie account loophole that is being exploited by a high percentage of ex-employees outlined in the research.

Posted by: Stuart Hodkinson, General Manager, Courion  24 Feb 2009

corporate data has been walking forever

the Symantec research is hardly news. Valuable corporate data has been walking out of the door ever since computers first printed reports.

In the early days of data theft, the scope was limited by the volume of paper involved. Nowadays though the volume of data at risk from illegal removal is virtually limitless.

The proliferation of easily connected "personal devices" such as mp3 players, pdas, memory sticks and mobile phones provides fantastic capacity to quickly garner gigabytes of mission-critical data; soon this capacity will probably stretch to terabytes.

In the meantime, information security is largely entrusted to technology, as part of a box-ticking strategy, while the non-technical aspects of security go largely unchecked.

I believe this head-in-the-sand approach is a ticking timebomb in too many organisations.

Posted by: Colin Beveridge  23 Feb 2009

Company "security"

Most companies enjoy 'security' insofar as they haven't been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon's CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture - absent new eCulture, breaches will, and continue to, increase. As CIO, I'm constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities - read the book BEFORE you suffer a bad outcome - or propagate one.

Posted by: John Franks  23 Feb 2009