So much for confidentiality

Everyone has a similar story.

You print out something, then walk over to to your printer located 20 meters away, shared by the four departments on your floor. Instead of your print out, you have a whole stack of other people’s printout and the paper has run out. You look at the task, groan as you see another 120 pages pending. And the one who printed out that stack is nowhere to be found.

Looking further, you see, well, the stack had some pretty interesting information. Apparently it’s the entire year’s worth of financial information and also a few pages detailing employee’s pay and salary. Now you know how much your annoying colleague who just bought an Audi A8 earns, and you are really, really peeved, because you know he doesn’t do anything but play golf and suck up to upper management.

Where is the problem here?

Whatever confidentiality classification a company has put in place is out the window, when an irresponsible employee just prints out 150 pages and goes out for lunch and says, “I’ll grab it on the way back.”

An interesting article here¬†talks about how some secret files from UK has gone missing or destroyed. According to the article: “The Foreign and Commonwealth Office is unable to confirm whether 170 boxes of classified documents which were returned to the UK at the end of the colonial era have been destroyed.”

Oops.

The article continues on detailing some of the acts that were done during the british rule in Kenya, where prison warders apparently clubbed prisoners to death and blamed it on “Drinking too much water.”

As in, seriously. I’m not sure if that’s British humor involved in the drinking too much water part, but it’s pretty humiliating for the FCO any way you look at it.

In an application audit we did, the team found pretty good controls overall, but flagged an issue: Invoices and documents containing confidential information on partners and payment details were left in a box in a common area before moving to a more secured location. The common area was where many people on that floor walked by. Now, our client reason, nobody would be looking into the box without any business with it. Also, they were all employees of the same company. And finally, it was only a temporary storage, and each day, the stack will be moved to the supervisor’s cubicle for filing.

We insisted on flagging it. The assumption of above’s argument was that all employees can be trusted. And along with that assumption comes: all employees are nice people who does what is best for the company.

Um. That’s very idealistic, like me winning American Idol and going on to become a global superstar. And chilling with Bono at a cafe. Of course we didn’t put that in our audit report.

But here’s the thing, if you’re going to spend millions on technical controls, but not look into the process and people controls, we’re defeating the purpose of holistic security. The weakest link is the people, either through deliberate malicious acts, or just plain unawareness, the company takes the brunt of the oversight. Security should be approached in that holistic fashion, and that’s why IT Audits are still relevant in a world where security companies have invented automated “IT Audits” by installing their software and they would probe for software weaknesses and “Outdated patches”. That only tells part of the story. The other part is breaking down the critical processes and human interaction between systems and technology. Any IT Audit that does not take time to understand the business process of a company isn’t complete.

So back to the FCO, we don’t know what happened. Maybe somebody printed out the whole bunch of secret stuff and went for lunch and somebody picked up the documents and went, “Jeez, this is going to make the honchos in UK look like a bunch of clowns”. And also, what do you know, reveal some seriously critical military secrets. Somewhere along the way, somebody dropped the ball. It’s a human issue. Or it’s a process issue. Unfortunately, when we hear people doing “IT Security Audits” they take the “IT” word too literally and the “Security” word too frivolously. That in itself is worth another article.

So for now, please grab everything you print out before you head out to lunch!

Leave a Reply