If you can’t trust the Compliance Officer who can you trust?

Or is the temptation these days too great for anyone to resist?

Written by Calum Macleod, European Director for Cyber-Ark

I often wonder if I’ll get to an age where I’m not disillusioned by the world around me. It started so early in life when I experienced corporal punishment, got the belt!!, from my father for bringing home a bottle of soft drink without paying for it! I discovered that you just didn’t walk into the store and pick something up and walk out. It went downhill after that; Santa Claus didn’t exist, you had to learn stuff in school and write the letters between the lines, or else you got the belt! In 2008 this would be called child abuse but back then it was called preventative medicine. Then having finally entered the world of the employed I discovered that half my salary had been allocated to pay for speed cameras and various other “useful” items. And having thought I’d seen it all I just found out that Compliance Officers cannot be trusted!!

Here I’ve been for years advising supposedly concerned Compliance Officers about the risks posed by their IT staff, or even worse their For-Ex dealers, who are all petty criminals waiting to steal company secrets and misappropriate funds, and then lo and behold I walk into a company a few weeks ago and discover they’ve just fired their Compliance Officer. It was a minor indiscretion. He had simply accessed every contract that the company had to ensure that the company was complying with all the relevant policies. And everyone was convinced that their CO was just doing his job in the diligent pursuit of internal evil doers only to discover that he was being handsomely rewarded by the competition. After all you can only lose so many deals and blame it on bad luck! He was the biggest evil doer of them all!!

It seems that it doesn’t matter where you look these days; you can’t trust anyone and herein lies the crux of the problem faced by many organizations. They assume that their employees can be trusted not to do something stupid or they can trust their employees because they’re all basically honest.

Unfortunately it’s the honest ones that are most often the victims and very often an organization’s failure to grasp the magnitude of the damage one dishonest or careless employee can cause that results in the disasters we keep hearing about. Whether it’s careless employees working for the Government or unscrupulous employees working in the financial sector the end result is the same.

Every organization today, no matter how small or large needs to ensure that privileged access to systems is controlled and that confidential data is secure. And a key factor in this is ensuring that people in positions of responsibility understand what they’re doing. The example of the CISO of a UK Fortune 100 company who stated that the M&A data about planned acquisitions was secure because the server was in the boardroom may not be typical of the level of CISOs but it only takes one idiot to give you all a bad name – or for that matter one Compliance Officer on the take to have every Compliance Officer labeled as a crook.

The lack of sufficient internal controls result in data breaches, denial of service attacks, and compliance review failures and the key areas of vulnerability are Privileged Users access controls both inside and outside the network, confidential data exchange via public networks, and securing highly sensitive data inside the network. The insider threat is the #1 security risk enterprises today, primarily because it is clear that insider incidents perpetrated by using system administrator or privileged account access are responsible for 9 out of 10 breaches in data security.

Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organizations and enterprises. These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organization’s business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.

Common solutions such as mail (CDs in the post for example), e-mail or FTP suffer from several disadvantages. Distributing vast number of documents via mail is cumbersome and hard to track. FTP solutions are not reliable or secure. E-mail solutions, including encrypted e-mails, are also not reliable because they are dependent on the recipient's e-mail infrastructure. Large files or encrypted files often tend to fail e-mail security policies and bounce back. Organisations need global accessibility and connectivity while maintaining security.

As an IT security advisor at Cyber-Ark, this is the advice I give my clients to suggest how they should go about protecting their data.

Information needs to protected from unauthorized modification, deletion, and exposure. Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers. For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. In order to build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure.

Ensure you have visual Auditability – Owners of information need to actually see what happens with their information at all times. Combined with auto-logging and auto-alerting, it ensures that an organisation has a prevention and detection mechanism.

Separation of Duties must be possible between the owners of the information and the administrators of the information. In other words there is no need for IT staff to be reading employee contracts, unless of course he or she is doubling as head of HR!

Dual Control ensures that highly sensitive data can only be accessed provided it has been authorised by another person.

Data should always be backed up in encrypted form, and kept encrypted even while on backup media, to prevent unauthorized disclosure.

And access should be controlled based on user location. In other words it’s not the employers’ responsibility to help an employee show-off to the cute blonde in the Internet Café. Make sure that if the information is for internal use only then that’s exactly where it stays

No organization is immune to the risk of exposure, embezzlement, embarrassment. There is no such thing as the 100% trustworthy work force, and especially when you’re outsourcing or using contract staff. How many organizations can echo the sentiments they been cheated by someone and they have no idea when. And they make up their mind that it has to come to an end.
So let’s just say that since people have a habit of letting you down its time you ensured your data is secure and locked away. As someone wants famously said“I generally avoid temptation unless I can't resist it”.