Monday, July 20, 2015

Employees as weak link

Yesterday, Krebs on Security posted this story about the Ashley Madison hack. OK, this is a problem for the company and comes with all the standard issues of data loss. But here's something else to think about.

Firstly, if you didn't know, Ashley Madison is an online cheating site. That means, account holders at AM likely do not want it widely known that they use it. Unlike other data breaches where the fear is ID theft and financial fraud - activities for which AM could simply offer ID theft protection services like everyone else -  this is a case where the compromised information could be used to blackmail individuals. Ask yourself:

  • Do you have privileged users who are AM account holders? Two factor authentication isn't going to help you protect privileged accounts if the user herself is compromised.
  • Is your CEO an AM account holder? What would exposure of this fact do to your company? What would he do to keep the information quiet? Are there other high-profile employees that could be AM users?
Even if you perform security checks before you hire people, you need to remember to keep monitoring them. Circumstances change and an employee who was fine last year may have run into financial difficulties or engaged in activities that have compromised her previously secure standing. These changes have impact on your organization, regardless of how much security awareness training you provide.

The next questions - How will you know if one of your people has been compromised? What will you do if it turns out they have been? What HR policies are in place to support your choice of action?

Cybersecurity is not just an IT thing. It never really was even though we shoved the responsibility into the IT department. Cybersecurity is a corporate risk management thing and it touches on every aspect of the business. HR and IT are just the first two that spring to my mind, but clearly finance, production, and operations may all be impacted by any information breach - even if it's not at your company.

Note: Edited to correct spelling mistakes on Aug. 5/15.

No comments: