Workplace monitoring makes waves

Mary Kirwan, 13/11/07 at 3:39 PM EDT

Everyone does it, so it can’t be wrong, can it?

Who hasn’t used the corporate network and company PC to surf non-work related websites, or to send web-based e-mail with riotous attachments to friends and family? This stuff is hard to resist, and many employees probably think that the IT department needs to lighten up.     

But, alas, the fun isn’t always clean, and the seemingly harmless "goofing off" can have serious consequences that can lead to disciplinary action, including the firing of employees who breach company policy.    

The problem is that Internet misuse eats bandwidth and consumes data storage space that could be used to actually run the business. And it’s not always true that under-stimulated employees merely surf cute and harmless websites to escape their blighted Dilbert existence, rather than actually burning the place down — clearly an even less desirable outcome.   

For instance, if male workers routinely access porn sites, they may expose a corporation to liability and charges of harassment from female workers who don’t appreciate the racy humour. In the U.K., an audit of workplace PCs by security firm PixAlert discovered that more than a quarter (25.8%) of the 10,000 PCs scanned contained pornography or other inappropriate images.

On an equally depressing note, the 2006 Department of Trade and Industry's (DTI) Information Security Breaches Survey found that employee misuse of Internet resources was the second largest cause of reported security incidents, after viruses, for large U.K. companies.

The reason is that employees playing computer games, or gambling online, can inadvertently download malware — malicious computer code — that cuts a hole right through the firewall. And downloading unauthorized applications at work, such as plug-ins, to enhance your personal surfing experiences can lead to a mile of trouble as hackers increasingly probe web-based applications for vulnerabilities.   

But simply having a policy outlawing such behaviour isn’t a magic recipe for success.

The DTI survey also found that 63% of all U.K. companies surveyed, and 89% of large firms, had an IT-acceptable usage policy, but employees still ran riot, although it noted that far more U.K. companies have an IT-acceptable use policy than an information security policy, bad news in itself, as the link between the two clearly hasn’t been made, or communicated to employees.

So what should you be doing to keep employees in line, without starting a mutiny?

The legality of workplace monitoring tools is not clear-cut. Generally speaking, especially in the private sector in Canada, employers can use technology to ensure that at least someone is actually working at least most of the time, and for compliance with a variety of workplace related laws.

But an employer must have a “reasonable” and legitimate purpose for collecting the information, and an acceptable use policy that clearly sets out, in plain English, what is permissible and what is not, and the ramifications of non-compliance. Employees must sign off on the policy, and less is invariably more; the Canadian data privacy commissioners tend to take a dim view of employers "over-reaching." They especially dislike "continuous" workplace surveillance, or employee monitoring that is unrelated to a legitimate business purpose.

But some employers are fighting back. The University of B.C. has appealed an order by the B.C. Privacy Commissioners’ office that rebuked them for using monitoring software to track the workplace habits of an employee who spent up to four hours a day surfing non-work-related websites, including sites for job seekers.

He was fired by UBC for wasting company time and general tardiness. The basis of the appeal is that the order prevents UBC from investigating employee misconduct; UBC also claims that warning employees before firing them — as suggested by the privacy commissioner, is impractical.

The decision may provide some much needed clarity on where employers need to draw the line.    

• E-mail this post
• Link to this post
• Comments (1)

Treat electronic data with respect

Mary Kirwan, 01/10/07 at 12:55 PM EDT

Morgan Stanley & Co., the global investment bank, got on the wrong side of U.S. regulators a while back, and it has been writing large cheques ever since to try to appease them.

This time, it has agreed to pay $15 million to settle Securities and Exchange Commission (SEC) charges, arising from investigations into various aspects of the firm’s market activities over the period from 2000 to 2005, for failing to meet its electronic production obligations. The SEC charged that it failed to turn over "tens of thousands" of e-mails to regulators in a timely and consistent fashion.

As part of the settlement, Morgan Stanley agreed to pull up its socks and get the necessary help to improve its internal controls and policies to ensure that electronic data is preserved in accordance with regulatory and legal requirements. One might rationally expect better things from a blue-chip, lawyer-heavy, multibillion-dollar operation, but there it is.

At the end of 2002, Morgan Stanley and four other Wall Street banks paid regulators a hefty $1.65 million each to settle allegations that they effectively had lousy data retention policies.

Morgan Stanley’s electronic discovery woes got them into hot water on several fronts — not merely with regulators, but also with the trial judge in a lawsuit with Ron Perelman, corporate raider and proprietor of the Revlon cosmetics brand.

In that case, which is still dragging its way up the appeal courts, the trial Judge became quite incensed at the bank’s Monty Python-esque efforts to locate relevant electronic data, especially in the form of backup tapes and/or archived and stored data, and, as a result, she made some horribly prejudicial rulings against it. One minute, the court was told that backup tapes containing relevant electronic data had been destroyed during the tragic events of September 9-11, the next minute, the tapes, plus more that no-one knew existed, were located on shelves in sub-offices, and so it went.

Take it from someone who knows: If you tell a Judge ‘X’, heart in hand, you'd better be right. Crawling back, cap in hand, to fess up — “Well, actually, when I said we had no data relating to that issue, I was not aware that there were 30 boxes of tape under Johnny’s desk" — is your worst litigation nightmare. At that moment, selling counterfeit watches on Yonge Street from a battered suitcase looks like a wise career move.

It doesn’t take a genius to figure out that companies, small and large, are swimming in data, and that most of them have no idea what data they have or where it resides; whether it is on portable drives and USB tokens, or PDAs, laptops, and home office computers.

It may have traveled across the ether by way of instant messaging or peer- to- peer services that may or may not be tracked and/or stored and archived. It may be deleted in one location, and not in another; it may contain meta-data (such as formatting information) that has nuggets of information that your nemesis in litigation considers of the utmost importance.

If data has been encrypted, are you sure you can recover it? Is the vendor still supporting the underlying software? Do you have key management policies and procedures in place to address these issues? Can you be reasonably sure of the integrity of the data you may need to product in a courtroom? When the regulators come calling, or where litigation is contemplated or threatened, the obligation to produce relevant – and reliable data- works both ways- and you will likely be faced with time constraints to do so.
In addition, if the court, or the regulator, hears evidence about shoddy data management policies, or inadequate security to protect the integrity of data, you may be unable to rely on evidence that supports your case. It may be deemed too unreliable to warrant admission or consideration.

However, retaining too much data can be as damaging as keeping too little.

In the recent European Union (EU) appeal Court antitrust ruling against Microsoft, the regulators, and the Court, placed considerable weight on evidence gleaned from emails from Bill Gates and more lowly MS executives, that tended to throw considerable (negative) light on internal company strategy, and that seemingly contradicted the company’s defensive position.

You need to get input from senior management, legal, IT, and the security and forensics folk, to define a legal, and workable strategy. You will save yourself, and your unfortunate lawyers, a wealth of grief if you do so now.

Don’t leave it to the last minute, when your back is to the proverbial wall. Life is hard enough.

• E-mail this post
• Link to this post
• Comments (0)

Education may not be enough to ensure compliance

Mary Kirwan, 11/09/07 at 12:00 PM EDT

It is a sad fact of life that even the trained gatekeepers of highly sensitive data are as susceptible to scam artists as Joe Public.

The U.S. Treasury Inspector General for Tax Administration (TIGTA) recently released a report with the results of a review on the susceptibility of Internal Revenue Service (IRS) employees to social engineering attempts — basic con-artist scams, such as pretending to be from the audit department or a senior executive — that could be used by hackers to gain access to IRS systems.

TIGTA had conducted similar social engineering tests in 2001 and 2004. In August, 2001, 71 of 100 employees targeted had provided user names and changed their passwords on request. In December, 2004, only 35 out of 100 employees succumbed. Progress seemed to have been made, and hopes were high for 2007.

After the 2001/2004 audits, recommendations were made to improve employee training, and publications were distributed with examples of social engineering attacks.

The not especially wily TIGTA auditors made 102 telephone calls to IRS employees in one day, "including managers and a contractor," posing as computer support help desk representatives. The undercover operatives asked for each employee’s assistance "to correct a computer problem and requested that the employee provide his or her user name and temporarily change his or her password to one they suggested."

Hardly in the first rank of deviousness, but the unimaginative scenario did the job — the auditors convinced 60 per cent of the 102 employees to do their bidding, despite the training materials and reminders in existence to ameliorate the problem since 2001.

The audit also revealed that managers were more lax than the rank and file, by a margin of over 12% — not an especially reassuring statistic for senior management.

I was relieved to see that neither of the two unfortunate employees targeted by the auditors in the Office of the Chief Counsel capitulated, but unfortunately one out of two employees in the Criminal Investigations office opened the kimono — not the type of healthy skepticism one would expect to see from that particular office.

A post-mortem exercise was conducted to try to understand why the errant employees gave up the password ghost without a fight, but the results are not especially illuminating. I imagine that the transgressors were not exactly thrilled to be called upon to explain the error of their ways, and thus may not have been especially candid in their responses.

A majority (about one-third) simply indicated that they believed what they had been told; 10 employees thought that changing their passwords was not the same as disclosing it, which they knew was against the rules; eight employees admitted to knowing the rules and doing it anyway; seven employees said they had, or were having, computer problems — as if that someone made it right; four employees were oblivious to the rules; and 11 employees provided no reason at all.

The 41 employees who passed the test were fairly evenly divided between skeptics who did not believe the scenario presented by the auditors, or they understood the need to protect passwords from "training programmes, e-mail advisories, or group meetings." Or maybe they just got lucky, or were in a grumpy mood.

TIGTA also evaluated whether any of the employees targeted had checked, after the fact, to see if the scenarios presented to them were legitimate, or if they alerted security that scam artists might be at work and a security risk imminent. Only one employee contacted the IRS computer security group, and the manager of the audit team received telephone calls from three employees to verify the calls were part of an official TIGTA audit; the TIGTA Office of Investigations also received contacts from four employees who had been targeted as part of the test.

TIGTA was rightly concerned that when attempts at social engineering are not reported to appropriate personnel, "the IRS cannot investigate incidents and take action to minimize the effect of a security breach."

What was abundantly clear from the test was that the corrective measures (e.g. education and outreach programmes) put in place in 2004 were ineffective to mitigate against the threat of social engineering attacks that might result in the exposure of highly sensitive taxpayer data, and result in instances of identity theft and other egregious consequences.

TIGTA concluded that IRS employees "either do not fully understand security requirements for password protection, or do not place a high priority on protecting taxpayer data in their day-to-day work."

Despite the discouraging results of the audit, TIGTA did not recommend that the IRS abandon training employees to improve compliance with corporate security policy. Rather, it suggested that employees be given an incentive to comply, such as by augmenting existing policy with disciplinary action, when security violations resulted from employee negligence or carelessness.

Clearly you don’t want to wield the big stick with employees unless you have to, but be aware that the stakes are high: cyber-criminals are as focused on business efficiency as legitimate operations.

If scammers can charm, bully, or bamboozle their way past your employees to get what they need to take you, or your customers, to the cleaners, have no doubt, that is exactly what they will do. And, in the process, they will make light work of all the expensive technology tools you have in place to protect critical data.

Don’t make it easy for them.

• E-mail this post
• Link to this post
• Comments (0)

The final cut is the deepest

Mary Kirwan, 01/08/07 at 10:38 AM EDT

As I mentioned last time, banking online in New Zealand just got a whole lot scarier for consumers, who probably assume that major institutions, such as banks, will keep them safe in cyberspace.    

The New Zealand Banking Association (NZBA) has defended its new banking code of practice that potentially makes New Zealanders liable for online banking fraud, as an effort to "educate" consumers about the risks of online banking. It also indicated that individual cases will be considered on a “case by case basis,” and that they will “do what is reasonable”.

Although at first glance it seems like the NZBA has succeeded in pulling a fast one on local consumer protection groups, who appear to have been asleep at the wheel, I am convinced that the victory will be short-lived, as the entire concept is too poorly conceived, and devoid of any strategic insight into what glue holds the financial sector together, to be tenable long-term.         

Reports in the NZ media suggest that consumer protection groups realize that they have been out-flanked and out-maneuvered and are trying to regain a foothold in the race, long after the horse has bolted; they are seeking clarification from the NZBA respecting the liability provisions in the code, and expressing concern about the extraordinary provision that allows local banks to inspect consumer’s computers before deciding to reimburse them, if they lose money to scam artists.   

I have grave concerns about the legality of this latter provision, but I can only assume that NZBA lawyers looked it over before it came into effect. But maybe not. Stranger things have happened.

In any event, local news media are probably salivating at the prospect of stern faced banking officials showing up at Mrs Maloney’s door – the distressed, recent victim of cyber-fraud- to seize her computer (full of photos of the grandkids) and take it away- ‘for inspection’.

Just imagine the scene: the tussle for possession, the screaming, the sobbing, the inevitable tearful interviews with local talk-show hosts, the mass race to close out bank accounts at the offending callous institution: positively riveting television viewing. Banking officials will wish the earth would swallow them up, and heap their displeasure in the direction of the NZBA.

US banking regulators are far smarter than that, and they have worked hard to head off such precipitous action by member banks. Years ago they issued an edict that discouraged US financial institutions from passing liability for online banking fraud onto consumers, rationalizing that such action could result in a crisis in consumer confidence, and undermine the reputation and trustworthiness of the entire sector.  

The Australian Banking Association has got the message, and will not meander blithely up to the gallows:  it recently issued a self-serving statement to the effect that it will not be following the example of the NZBA by going into the home PC security inspection business, or pursuing defrauded banking customers unto death, provided- and here is the kicker- ‘it is clear that the user has not contributed to the loss’. Needless to say, the latter statement gives them ample room to maneuver.

However, this epidemic of ‘tough love for consumers’ is not just endemic to New Zealand. The Australian Securities and Investments Commission (ASIC) made proposals in a consultation document published last year as part of a revision of the EFT (Electronic Funds Transfer) Code of Practice, suggesting that consumers ought be liable for online banking fraud if they didn’t have ‘adequate’ security measures in place, or words to that effect.

ASIC is understandably reluctant at this precise juncture to emphasize that aspect of the proposal, and representatives have publicly declined to comment on whether the consumer liability provisions have made the final cut, indicating that there will be “further public consultation on the re-drafting of this code."
One can only hope so.

And what lessons should industry take out of this whole affair?

Businesses should not have to be reminded that brand value is a key corporate asset, and that poorly conceived, short- term actions- that have the potential to come back to haunt them a thousand times over- may be regretted for many years to come. Especially when the competition is just one click away.

Much has been written about the resurgence of interest in corporate strategy in many a corner office.  But I have also heard whining about how developing an enduring strategy for success- rather than mere benchmarking- is so difficult to conceive. But nothing worth doing is not worth doing well. And sometimes knowing what not to do is as good a start as any.  

• E-mail this post
• Link to this post
• Comments (0)

Put the cyborg on the barbie

Mary Kirwan, 16/07/07 at 10:18 AM EDT

No one can accuse Australian police chiefs of not thinking ahead. So far ahead, indeed, that one might be forgiven for thinking that the worst drought in recent history is causing more than a shortage of milk down-under.    

According to a report in the Sydney Morning Herald, Australian Federal Police Commissioner, Mick Keelty, recently told a federal parliamentary inquiry investigating organized crime issues, that ‘technology such as cloned part-robot humans used by organized crime gangs pose the greatest future challenge to police’. He went on to express concern, undoubtedly extremely well founded, that Australian police lack resources and skills to counter this futuristic threat.

I feel secure predicting that the RCMP would feel similar trepidation faced with robots intent on cyber-Armageddon.  
 
But before we rush to conclude that Mr Keelty has bats in the belfry, we should recall the judgment of the 9-11 Commission to the effect that a failure of imagination, an unwillingness ‘to expect the unexpected’ contributed to the success of the fatal attacks on US soil. So maybe Australian law enforcement should be commended for trying to think out of the box.

However, me-thinks that we have far more mundane challenges in the here and now, and that consequently, we should put the threat from robotic bad guys and chimeras down our list of priorities, tantalizing as it may be to make the leap. We badly need to learn to walk before we can run, or fly, or dance the light fantastic.  
Indeed, when it comes to novel approaches to endemic problems, there is a font of esoteric thinking in circulation right now down-under. But it is not all benign.

In fact, if you are planning a once in a lifetime trip to New Zealand to see Frodo’s extravagantly beautiful homeland, and/or to bungie jump your way to permanently bloodshot eyes, take plenty of cash with you.

A new Code of Practice for the financial services sector has come into force in New Zealand, extending to the online banking environment. What makes it interesting is that regulators, policy makers, and consumer advocates inexplicably signed off on a provision that authorizes banks to inspect customers home computers before they reimburse them, in the event they suffer financial loss, for instance, if they fall victim to a phishing scam.

The purpose of the inspection is, ostensibly, to ascertain whether the customer in question had ‘reasonable’ security measures in place.

But what constitutes reasonableness in this arena, when even jaded experts take the bait, as attacks become infinitely more sophisticated? Some commentators have expressed the view that consumers down-under have a choice: they can choose to ‘do their bit’ on the security front, and/or face increased banking fees as cyber-crime increases, or they can ‘choose’ to drive 300 miles in the outback to see a teller at a branch.

With choices like that , who needs ultimatums? And what about employers? How might this impact them? How would they feel about financial institutions inspecting home computers  replete with corporate data, downloaded by sadly remiss remote workers? Who would you trust to do that inspection? Surely such draconian measures simply open yet another door for all manner of unintended consequences.

Not to mention the fact, oft expressed by me over the years in this newspaper, that technology is still way too complex at this juncture to render security measures plug and play. For many consumers faced with unending and frequently inexplicable choices, setting up a secure computer environment at home is just way too much work. So they plug and pray, and then walk away.

The technology conundrum is compounded by wily scam artists migrating to the web in droves, seeking a quick and easy buck. It is a mess, with no solution in sight any day soon. And in my judgment, consumers should not be made responsible for the technology industry’s inability to sort the mess out.

When the cyborgs finally come calling, we better hope that we are further ahead than we are now. Or we are surely done like dinner.        
     
 

• E-mail this post
• Link to this post
• Comments (0)

A stone left unturned

Mary Kirwan, 09/07/07 at 2:30 PM EDT

Hatshepsut was Pharaoh of Egypt for 22 years. She initially babysat the throne for her stepson, Tuthmosis III, the rightful heir, who was too young to reign when he first inherited it. Hatshepsut probably told him, in time-honoured fashion, that she was only "minding it for him" until he grew up. But then when he did, she omitted to give it back and had herself crowned in his stead.       

Hatshepsut, not short on ego, was frequently depicted wearing a beard and male attire, probably an effort to shore up her dodgy claim to the throne. She also built many great monuments with her head on them, where Tuthmosis’s head unquestionably should have been.

It must have been galling.

But Tuthmosis grew up to be a general, with troops at the ready, and it seems that he could have taken out the old bird any time he felt like it. So why did he choose not to take back what was rightly his?

Tuthmosis was a patient man, who probably believed that revenge is a dish best served cold: He waited until his step-mum was as cold as nature could make her, and then he made his rather audacious move.  

When Hatshepsut died, at the ripe old age of 50, Tuthmosis put his stonemasons to work, with chisel and hammer, to carve out her image from every object that bore it, and her monuments were razed to the ground. In addition, scribes went to work on the coldest cut of all: With pen and ink, they removed every reference to her in the annals, and her legacy was obliterated from public records.

When he was done with her, it was as if Hatshepsut had never existed. In a sense, Tuthmosis stole his stepmother’s identity.  

But archaeologists have recently identified her body, or so it seems, and her legacy, long a source of mystery and intrigue, will certainly live on. Tuthmosis’s revenge remains incomplete, although not lacking in execution.

Fast forward to 2007, when it is not nearly as easy, even for a modern-day Pharaoh, with supercomputers at the ready, to scrub out someone’s identity, although it is accomplished without much difficulty in many Hollywood movies, where all things are possible.

Today, in most cases, the challenge is that every piece of information that is reduced to bits and bytes is probably cached somewhere, ready to re-emerge and embarrass us at the most inopportune time.

A recent case in Australia is a good example. A recruitment company inadvertently exposed personal data from 2000-2001 on the Web, where it remained for at least a month. The data was stored in a customer relationship management (CRM) database and several spreadsheets.

As well as personal details about potential clients, sales people are quoted making derogatory comments about their targeted accounts. One prospective client is referred to, by name, as a "retard," and another as a "good for nothing."

According to reports in The Age newspaper, these individuals, who may have moved up the food chain at their respective companies by now (most of the companies still exist), "include large and small businesses, federal and state government agencies, non-profits and even several AFL teams."

Such an unfortunate episode is unlikely to win the errant company any friends, or enable them to gain influence with government movers and shakers.

CRM databases and spreadsheets are, of course, useful repositories for data about current and prospective clients, but it bears stating the obvious: They should not be replete with derogatory or personal comments that might prove offensive or upsetting to the objects of their affection, should they inadvertently see the light of day.

A client whose personal data has been exposed on the Web, with potentially adverse financial consequences, will not be mollified to learn that the security breach was accompanied by unflattering personal characterizations. And unlike Tuthmosis, he or she is most unlikely to wait decades before seeking retribution, with a plethora of lawyers and regulators at the ready to seek amends.

But if such data does exist, and you want to remove it, be sure to truly obliterate it.

Remember that hitting "delete" does not remove data for all time; it remains lurking in the ether, just waiting for primetime.

And history tends to repeat itself.              
    

• E-mail this post
• Link to this post
• Comments (0)

Beware "wilfers" and the computer-challenged

Mary Kirwan, 21/06/07 at 2:41 PM EDT

Researchers at Siena University in Italy, focused on the pursuit of happiness, recently unveiled the fruits of their labour. They found that a misery wart with no friends has to earn $320,000 more each year to have even a fighting chance of being as happy as a gregarious colleague.

It is not clear to me how they came up with that precise number, but it bears keeping top of mind for your next performance review. But if you don’t have $320,000 more than the next guy, or gal, and little prospect of acquiring it in the foreseeable future, what to do?

Chances are that a fair quotient of head-fried and impecunious workers will start aimlessly surfing, or "wilfing" — short for “What Was I Looking For”? And they will do so on company time.

A U.K. survey has found that two out of three British Internet users are inveterate "wilfers," and that the popular pastime costs employers two working days a month in lost productivity.

Men are worse offenders than women, and their established aversion to real world shopping is apparently not replicated in cyber-space, especially if the choice is between working and checking out the latest big screen TV online. The survey also found that a third of men routinely wilf on adult entertainment sites, a penchant that research shows can lead to marital disharmony.

However, workers who routinely surf porn sites risk affecting more than domestic relationships. Such behavior can also have severe repercussions in the workplace; co-workers and female colleagues are entitled to a workplace environment devoid of harassing and offensive behavior; and they have been known to sue their employers to acquire it.

In addition, workers with minimal computer or Internet skills, reliant on employers to protect the tools they work with from such illicit content, can end up in situations they are ill-equipped to address, sometimes with devastating consequences.

A good example is the case of Julie Amero, 40, a Connecticut middle-school substitute teacher convicted earlier this year of exposing her young charges to pornographic images on her classroom computer screen. She faced up to 40 years in prison for the incident that she attributed to pop-up spyware messages that infested her machine, and that she could not control.

At her trial, she was faulted for not turning off the computer, but she stated that she was told by superiors not to turn it off, and that when she asked them for advice about the malignant pop-ups (she did not, apparently, mention that they contained pornographic images), she was told to ignore them as they were such a frequent occurrence.

There was evidence that anti-spyware software had expired on the schools’ network, but no evidence was allowed into evidence suggesting how malware may have entered her computer, through no fault of her own. Prosecution evidence that the pornographic images existed on her computer when she was teaching the children was her downfall, as the jury accepted the suggestion that she had to have willfully accessed the offending web sites to view the images.

Things are looking up for Amero, but the case has alarmed educators, who fear that they could easily end up in a similar predicament- substitute teachers without union representation possibly being especially vulnerable. The concern is that teachers, especially those who are not technology savvy, are not trained to react in such circumstances and/or they blindly trust employers to prevent such scenarios arising in the first place.

There have even been wild-eyed suggestions that teachers in Connecticut may revolt and refuse to use their computers, until they are fully trained on how to use them.

But some measure of responsibility must indeed lie with employers to keep their employees, and their young charges, safe in cyber-space. And to imbue them with sufficient knowledge of the security threats that exist, to enable them react with confidence in the event that the worst happens.

Employers are also advised to ensure they have security policies in place, and logging and forensic capabilities on their networks to dissuade real offenders. And to ensure that scepticism in the security industry about claims from corrupt insiders that "the computer did it," do not inadvertently trap the guileless and the unwary.

• E-mail this post
• Link to this post
• Comments (0)

All work and no play

Mary Kirwan, 23/05/07 at 12:12 PM EDT

Surprise, surprise: surveys have determined that Canadians work like demons, don’t take enough time off, and are glued to their mobile devices. Even kids are griping that they can’t get their harried parents’ attention, their glossy eyes perpetually fixed in cyberspace.

Leaving aside the fact that most security incidents are caused by human error — and the fact that lack of sleep and downtime can impair judgement — taking work with us on the road or into the family room or onto the beach has other serious security implications.

It is no longer the case, if it ever was, that our lives at work and outside work (we cannot, alas, assume that the latter period involves actual leisure time) are co-mingling. People increasingly expect to work in a less structured environment. For many workers, "9 to 5" seems like a quaint anachronism; they work from home, on planes, trains and, alarmingly, according to police reports, while driving.

The Mayo Clinic recently produced a device that will mercifully allow us to remain at our desks while working out — a kind of treadmill-desk contraption. No doubt this startling innovation will be music to the ears off pudgy workers the world over, and save countless millions in annual gym memberships that we never use past January.         

But what does our always-on mentality have to so with security? A very great deal, I would suggest. If we simply consider work an extension of the rest of our lives, we may be more likely to treat corporate security policies like we view "the suggestions box" — as something quaint  that we can cheerfully ignore. We may decide to use peer-to-peer services, or instant messaging (IM), or set up our own wireless access points, and blithely circumvent company policy in doing so, without a backwards glance.

We may justify such actions by telling ourselves that we are just ‘working the system’ to allow us to get the job done. Because security is a drag on productivity, now isn’t it?

Or we may simply crave communication with friends we haven’t seen in ages, or we may just want to amuse ourselves on company time, by sharing racey jokes, illegal music, movie and software downloads, and YouTube videos. Some of us don’t see the harm in lampooning fellow workers and surfing porn sites, exposing our employers to harassment suits, liability and the attention of law enforcement agencies.  

And then when we leave the office, we use the home PC to do more of the same, or to pass files between home and office. Except that we pay little attention to keeping our anti-virus and anti-spyware up to date and we risk infecting or exposing sensitive company data in the process.     

In that vein, Japanese newspapers, investigating the ongoing saga of a data leak involving U.S. missile defence systems, recently reported that additional sensitive information has been exposed, including information relating to missile interceptors and a system used to exchange reconnaissance satellite data between Japan and the U.S.

The leak came to light last March in an unlikely manner: Japanese officials were conducting a search of a naval officer’s wife, under investigation by immigration authorities, when her husband was found to be in possession of allegedly highly sensitive military data. The story continues to unfold, but his explanation as to how he came into possession of the documentation is illuminating.           

He is reported to have “accidentally copied” the files under scrutiny “while swapping pornography with another officer.” A naval school in Hiroshima has been raided as part of the investigation and computers and storage devices seized.

Whoever said that what you do outside the office is not your boss’s concern?

• E-mail this post
• Link to this post
• Comments (0)

The enemy within

Mary Kirwan, 14/05/07 at 11:25 AM EDT

Just when you thought you had heard it all before, you learn something new and surprising, if not exactly uplifting.

I recently read a story about an Illinois auto-parts maker who offered $250 to employees who gave up cigarettes for a defined period. This enlightened ‘wellness’ program had an unintended and unexpected consequence: Some employees took up smoking so they could then give it up and claim the reward. Then there was the morgue employee mentioned in the Globe in the past few days who allegedly stole personal belongings and medication from dead bodies. One can only hope that the dear departed in question were at peace with the concept that you can’t take it with you.

Anyone who watches even a sliver of Jerry Bruckheimer TV or Law and Order know that sleuths always look for motive and opportunity when trying to finger a crime suspect. In order to have any hope of detecting and preventing insider crimes before it is too late, it is important to watch for employees displaying aberrant behaviour, possibly caused by stresses such as financial constraints or poor relations with managers.

Fellow employees can also be privy to more information that they might readily admit, absent a well-defined (and legal) whistle-blower hot line where they can reveal all without fear of recrimination.  In many cases, insiders have even told co-workers about what they were planning to do, or at least raised red flags that all was not well in paradise. In a large percentage of cases, the resulting fraud or IT incident is spotted by non IT employees, customers and business partners - hardly a confidence building exercise for the latter.

Unfortunately, relations between HR  and IT are rarely scorching, and in many organisations both the HR and IT functions are poorly respected by senior management; this results in low morale and little synchronisation between the very activities that are critical to prevent, detect and respond to insider threats.    

     

• E-mail this post
• Link to this post
• Comments (0)