New Professional Member Special>>> Save $15 and receive a SHRM tote bag
Many HR pros are surprised to learn that legal protection from retaliation isn’t always guaranteed for them.
Save $15 on a Professional Membership and Receive a FREE Tote Bag.
Get the HR education you need without travel expenses or time out of the office.
We don't just visit a city, we take it over. Join us in NOLA -- June 18 - 21, 2017.
When the thief is in the next cubicle, what’s HR to do?
Two days after Christmas, financial services corporation Morgan Stanley discovered that Internet data had been stolen on 350,000 clients and attributed the theft to one of its employees. The employee was subsequently fired. Although he has not been charged, the employee is reportedly under investigation by the FBI.
It’s a tale that could send shivers down the spine of any employer tasked with keeping customer and employee data safe.
How could such a thing happen and what can HR do to ensure employees aren’t stealing corporate data?
According to news reports, Morgan Stanley does not know how the 30-year-old financial advisor obtained and posted client names and account numbers to the website Pastebin. When the firm discovered the breach, the information was removed. Account passwords and Social Security numbers were not posted, it said.
A spokesman for the bank told the Associated Press that the employee was likely trying to sell the information online and listed the partial information as a “sneak peek.”
In a release, the company stated it “is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures, including fraud monitoring on these accounts.”
But is that enough?
No, experts say. Employers should use this as a teachable moment and be proactive so more breaches of this kind do not occur—the risk of which can be reduced by limiting employee access to sensitive data.
“HR (and often the department heads, too) can work more closely to define and communicate access rights” to sensitive information, said Deena Coffman, chief executive officer of
IDT911 Consulting, a data risk consultancy, in an e-mail interview with
SHRM Online. “With this collaboration and the right toolset, companies can apply access controls that restrict employees to just the information they need to perform [their jobs],” she continued.
Experts add that companies should monitor their systems and be on alert when there has been any inappropriate access into those systems.
In addition, the different departments within a company should work on communicating more efficiently. “Historically, IT and information security departments have been frustrated by a lack of real-time communication from HR on what employee groups are supposed to access, and on changes in roles or employment status of employees,” said Coffman, who was formerly chief operating officer for the cybersecurity and information assurance practice at Johnson & Johnson.
“Without being told, IT has little choice but to allow access for fear of irritating a customer [or employee] unnecessarily,” she said. “Without the structured process for communicating changes quickly, a terminated employee or contractor will retain access. Under this scenario, even the best technical tools can fail.”
The Enemy Inside
Verizon’s 2014 Data Breach Investigations Report, the majority of data attacks are “perpetrated by external actors, as opposed to employees and partners.” Still, almost one-fifth (19 percent) of data attacks last year were attributable to “insider misuse,” the report stated.
“Many … inside attacks are IT employees with elevated [or administrative] privileges and little to no oversight on how and when those privileges are used,” said Coffman. “IT should be required to only use elevated privileges when necessary and the use of those privileged accounts should be monitored and logged. Separation of duties should be required on certain functions and an outside review is recommended annually.”
Privileged account management technology tools are also an option, she said.
This includes tools that:
Verizon suggests companies prevent insider data breaches by:
In 2014, the average data breach cost corporations $3.5 million, according to the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy.
That number is expected to increase in 2015, said Erik Knight, president of
SimpleWan, a Phoenix-based provider of cloud-based security firewalls.
“It’s no different from this and the Edward Snowden situation,” said Knight, a 20-year veteran of the security and technology industry, during a telephone interview with
SHRM Online. Snowden, a computer programmer, leaked the National Security Agency’s classified surveillance data, which he obtained while working there as a subcontractor.
“What it comes down to is procedures and really vetting your individuals,” Knight said.
But what if an employee’s history record is spotless or if he has a limited work history?
That’s when segmented access becomes especially important.
“The best thing to do is segment your different infrastructures … and don’t give one person that kind of control so they can’t do that much damage,” Knight said. “Anyone that has too much power is a danger to the organization and to themselves.”
Trusting employees is a factor as well, he said, but that can only go so far.
“You can implement a ton of technology, but if you can’t trust your employees, you can have all the systems and technology in the world and you’ll still have issues.”
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies