Whether you regard NSA leaker Edward Snowden as a selfless patriot or a traitor guilty of treason, his actions should have IT leaders considering their own internal security policies and procedures. Snowden was a relatively low-level contractor with the NSA, yet his position in a remote office as an IT support contractor allowed him to gather large amounts of data using fairly unsophisticated techniques, all without raising suspicion. Here are guidelines on how to avoid similar disclosures at your organization.
Reading can be more dangerous than writing
IT security considerations often focus on protecting data from being overwritten or manipulated, while less attention is paid to who can read that data. I've seen companies with rigorous procedures in place to allow write or update access to internal systems that have little protection against data disclosures outside obvious systems like HR.
Like in the Snowden case, this is particularly problematic with IT support workers and contractors. While granting "read everything" access streamlines security administration and might make these high-cost individuals more productive in the near term, providing this access to something as banal as your internal ERP system would allow a contractor with questionable motives to do things like disclose your upcoming financial results to an investor or a competitor, identify the new product your marketing department is hyping is plagued with production problems and cost overruns, and quickly determine that you're about to shutter a dozen plants on the west coast by looking at fixed asset moves.
Take some of the rigorous tests and considerations you apply to granting write and update access to data, and apply the same standards to read access. Does the employee really need access to these data to perform his or her job? If so, should the employee's access be limited to their geography or business unit? What harm would be caused if the data were disclosed publicly or to a competitor?
The overuse of "Company Confidential"
Perhaps desiring an element of NSA-style cloak and dagger mystique, most companies have some notion of company confidential data. This is good practice in theory; however, at most companies, everything from the employee handbook to the directions for operating the coffee maker get printed with "Company Confidential" dutifully printed at the bottom. The problem with making everything confidential is that it effectively renders nothing confidential.
Teach your employees to think for a moment before stamping something confidential, and resist the urge to embed the term in every presentation and document template you have. Confidential information is that which will negatively and irreparably impact your company financially if it is disclosed. With the bar set at a high level, you can invest your security resources in managing and tracking that which is truly confidential.
Plan for the worst
The most secure IT system is probably one that has no network connections whatsoever, is buried in a secured bunker, and has only company-created code that's been independently reviewed and vetted a dozen times. Obviously, such a system would not be especially practical. These are the challenges of security in the real world and, despite the best practices and policies, even a highly secure organization can have its secrets revealed.
You can mitigate the damage by assuming any electronic communication system is likely not secure; therefore, you should avoid multiplying the damage that any unintended disclosure might engender. The NSA did little to help its cause by embedding smiley faces and snarky program names in presentations that discussed gross transgressions of individual privacy, nor will you help your cause with vulgarity, double-entendre, or violent imagery.
Most executives have finally realized that email "never forgets," as evidenced by every recent court case of corporate malfeasance. This idea must now unfortunately extend into other forms of electronic communication. It may be tempting to codename the new marketing strategy "Steal the Customer's Wallet" (or worse) and grab a few laughs at the board meeting, but consider how that might look in the newspaper when your own internal Snowden leaks it to the press.
Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at firstname.lastname@example.org, and you can follow his blog at www.itbswatch.com. All opinions are his and may not represent those of his employer.