Whether you regard NSA leaker Edward Snowden as a selfless patriot or a traitor guilty of treason, his actions should have IT leaders
considering their own internal security policies and procedures. Snowden was a
relatively low-level contractor with the NSA, yet his position in a remote
office as an IT support contractor allowed him to gather large amounts of data
using fairly unsophisticated techniques, all without raising suspicion. Here
are guidelines on how to avoid similar disclosures at your organization.

Reading can be more
dangerous than writing

IT security considerations often focus on protecting data
from being overwritten or manipulated, while less attention is paid to who can read
that data. I’ve seen companies with rigorous procedures in
place to allow write or update access to internal systems that have little
protection against data disclosures outside obvious systems like HR.

Like in the Snowden case, this is particularly problematic with
IT support workers and contractors. While granting “read everything” access streamlines
security administration and might make these high-cost individuals more
productive in the near term, providing this access to something as banal as
your internal ERP system would allow a contractor with questionable motives to do
things like disclose your upcoming financial results to an investor or a competitor, identify the new product your marketing department is hyping
is plagued with production problems and cost overruns, and quickly determine
that you’re about to shutter a dozen plants on the west coast by looking at
fixed asset moves.

Take some of the rigorous tests and considerations you apply
to granting write and update access to data, and apply the same standards to
read access. Does the employee really need access to these data to perform his or her
job? If so, should the employee’s access be limited to their geography or business
unit? What harm would be caused if the data were disclosed publicly or to a
competitor?

The overuse of “Company Confidential”

Perhaps desiring an element of NSA-style cloak and dagger
mystique, most companies have some notion of company confidential data. This is
good practice in theory; however, at most companies, everything from the
employee handbook to the directions for operating the coffee maker get printed
with “Company Confidential” dutifully printed at the bottom. The problem with
making everything confidential is that it effectively renders nothing
confidential.

Teach your employees to think for a moment before stamping
something confidential, and resist the urge to embed the term in every
presentation and document template you have. Confidential information is that
which will negatively and irreparably impact your company financially if it is
disclosed. With the bar set at a high level, you can invest your security
resources in managing and tracking that which is truly confidential.

Plan
for the worst

The most secure IT system is probably one that has no
network connections whatsoever, is buried in a secured bunker, and has only
company-created code that’s been independently reviewed and vetted a dozen
times. Obviously, such a system would not be especially practical. These are
the challenges of security in the real world and, despite the best practices
and policies, even a highly secure organization can have its secrets revealed.

You can mitigate the damage by assuming any
electronic communication system is likely not secure; therefore, you should avoid
multiplying the damage that any unintended disclosure might engender. The NSA
did little to help its cause by embedding smiley faces and snarky program names
in presentations that discussed gross transgressions of individual privacy, nor
will you help your cause with vulgarity, double-entendre, or violent imagery.

Most executives have finally realized that email “never forgets,” as evidenced
by every recent court case of corporate malfeasance. This idea must now unfortunately
extend into other forms of electronic communication. It may be tempting to
codename the new marketing strategy “Steal the Customer’s Wallet” (or worse)
and grab a few laughs at the board meeting, but consider how that might look in
the newspaper when your own internal Snowden leaks it to the press.