This is the first in what unfortunately could be many posts I’ll call “Case Studies”. It’s unfortunate, because breaches are now publicized on such a regular basis, I could make a blog entirely about them, as SC Magazine now does. It’s called the Breach Blog. In my case, I was thinking it may be helpful to add some value to some of their entries by doing a bit of analysis and guidance on what you can do to avoid them.

Unauthorized File Sharing Software Leads to Pfizer employees’ Data exposure…

This breach was the result of an employee’s spouse using an office laptop at home for personal use. File sharing software was loaded, against company policy, and BINGO, 17,000 company employees’ personal information was exposed over a Peer-to-Peer network (including past and current employees). It’s not clear from the SC Mag post which P2P network was involved, or whether all the data was confirmed to have been transmitted over the network.

What went wrong?:

  1. Laptops, if not locked down completely to prevent installation of unauthorized software, should have some form of protection from unauthorized programs being installed. Only in the case of employees who need to be constantly installing software, such as software development teams, should employees really have the ability to install anything on their computers or laptops in the enterprise. This is not always seen as practical, though, because the IT department may get swamped with requests to install the latest version of Flash, or other utilities. But many organizations are now using centralized deployment tools called Management Suites, such as Microsoft SMS, Zenworks, LANDesk etc. to manage large scale desktop installations. This gets a bit trickier with laptops, since they are not always connected to the network. However, I think most vendors will have solutions soon, if they don’t already for the laptop problem.
  2. Employees don’t follow policies if they don’t know about them, and often don’t follow them if they see they aren’t strictly enforced, especially if they don’t understand how the policy relates to the well-being of the organization. What are the chances that the employee or the spouse had any idea that installing the file-sharing program could lead to a breach that affected 17,000 people and put the company into the mainstream media in such a shameful way.
  3. One other subtle issue (which may or may not be the case here) is that employers’ laptops are not always using the company network (dialup or VPN) to access the Internet. Even if you have firewalls that block malicious code from being installed or from exporting data, it doesn’t help when the employee connects via another ISP. You lose control of the network at that point, and as soon as the laptop is connected to your network, the threat is now “inside”. For this reason, mobile computers should also have software firewalls installed to add protection from trojans and spyware no matter which network they are connected to.

The Bottom Line:

  1. Use the tools available when it makes sense. The total present value cost of a Desktop Management solution over the next 5 years is probably cheaper than the cost of fixing the damage done by such a breach.
  2. Get serious about security awareness in the organization. Policies are no fun to read, and just having them doesn’t make them happen automatically. Security awareness training and regular updating is essential. But it doesn’t have to be tedious, and people need to be kept up to date on what to watch for.
  3. Use software firewalls on all laptops to account for when the laptop is bypassing the enterprise’s network security (eg. at home, in hotels, at Wi-Fi hotspots, etc.).

Do you have any comments on this case study? Feel free to speak your mind.

Disclaimer: This analysis is only based on the breach information provided in the SC Magazine article, which is assumed to be accurate. It is only intended as general Security Management guidance, and to illustrate approaches that can help reduce security risks in an organization. If you would like to obtain assistance in this type of analysis for your organization, you can contact me by clicking HERE.