The wrong kind of empowerment reduces security and puts the organization at risk
Two really good examples of why you should not ingnore insider threats popped up this week in Florida (click HERE) and in France (click HERE).
When an employee feels threatened by the organization or their management, you have to expect that they will at least consider using whatever leverage they have at their disposal. So, it’s best not to give them the wrong kind of leverage.
In the Florida case, the employee used their power of privileged access to sensitive information for pro-active revenge against her employer, when she thought it was advertising for her position in the newspaper classifieds. So, she deleted 7 years’ worth of files valued at $2.5 Million. The files were recovered at great expense, presumably by a disk recovery service, since there were no backups. It’s a good thing they weren’t using “secure delete” technology.
In the French bank case, a rogue trader apparently lost $7 Billion of his employer’s money trying to cover up his own trading mistakes. He also had privileged access, apparently because he had worked in certain areas of the company where he was able to learn enough about the company’s security safeguards to be able to bypass them, so he could create fictitious transactions. With transaction values of that size, shouldn’t God be involved in authorizing them?
I can just see the “old-school” managers pointing to these examples and saying, “Look what happens when you use those newfangled Empowerment philosophies! I told you so. You can’t trust employees.”
Actually, empowerment is not about blindly trusting employees with the keys to the kingdom. It is about aligning the organization’s objectives with those of the employees, so that there is less waste in the system. Security should not take a back seat to empowerment and employee satisfaction.
Employees have to know that it’s OK to make mistakes if they are genuinely trying to do the right thing, but that they will be held accountable, and there will be checks and balances. You can empower them to be free to do what they think will be best for the organization, but any abuse of the system will be detected and responded to.
Preventative safeguards are always desired, but where matters of trusting insiders are concerned, you may have to use less rigid preventative safeguards (such as separation of duties, so that no one person can cause an unacceptable impact on operations), and supplement them with more detection, response and recovery safeguards, such as real-time verifications and backup/recovery mechanisms.
So, next time you see an employee who seems less “gruntled”, or more “stressed” than the others, don’t make any sudden moves (like advertising their jobs in the paper, for example). First, run through your security audit checklist and make sure the checks and balances are in place. Just as police officer places a hand on his gun, but doesn’t draw it, as he makes routine traffic stops, you have to be cautious and aware of all possible outcomes.
Let them know you trust them, but not blindly.
Sue Massey on 27 Jan 2008 at 8:52 pm #
I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.
- Sue.
Scott on 30 Jan 2008 at 6:37 am #
Over at BlogInfoSec.com (click on http://www.bloginfosec.com/2008/01/30/french-trader-jerome-kerviel-spoofed-emails-to-legitimize-fake-transactions/ ), Kevin has provided a Babelfish translation of some of the testimony of the French trader. As most people have realized at some point, it is often possible to change plaintext email messages without detection.
While I have a certain amount of experience with Public Key Infrastructure, I try not to be a PKI Policy-Thumper in proposing digital signatures as a solution to everything. One of the biggest users of PKI technology for protecting the confidentiality and integrity of “large-value transactions” is …drum roll please… THE FINANCIAL INDUSTRY! The reason for this is that it is rather expensive to set up the infrastructure needed (Certificate Authority, LDAP Directory, Registration Authorities - all governed by documented policies and practices). But when you get into large value financial transactions that NEED INTEGRITY, it makes good business sense to use PKI as a preventative and detection safeguard.
If companies like, say ENTRUST (a PKI vendor with a good product for such purposes), don’t make good use of this example to tip a few license sales, they might need some new suits for their Sales Teams. This is their bread and butter.
Of course, same goes for the CIO and/or Chief Security Officer of any financial institution that doesn’t use appropriate safeguards to protect such high value financial transactions.