The story that made headlines this past summer of the San Francisco IT administrator who locked top administrators out of the city's network for several days should spark some serious discussion among HR professionals. The incident was a classic example of what a disgruntled employee with elevated privileges can do to take down the enterprise, such as encrypting data or changing passwords to restrict access to business functions.
IT professionals perform invaluable functions – without their services, organizations could not function. On the flip side, disgruntled IT employees are generally recognized as the highest risk an organization has, as they can do irreparable damage by stealing, corrupting or restricting access to data. A recent study indicated that an incredible 88 percent of IT workers would take company secrets and remote access credentials with them if they were fired. To mitigate this staggering statistic and avoid situations similar to the one in the San Francisco lockout, HR needs to develop a close relationship with their information security staff.
Once a disgruntled IT employee gets into a position where there are red flags that he or she might be a risk to the organization, steps need to be taken to restrict that person's access to the network. Having regular contact between the HR and information security departments will help management stay informed of potential "problem" employees, which is key to approaching the entire issue of insider threats.
Keeping your organization's data secure requires the cooperation of every employee – but HR in particular should play a critical role, especially with IT professionals, starting with the hiring process. When putting together a job description for a position that will have access to the organization's information assets, such as a network or system administrator, HR needs to clearly understand the duties and responsibilities of that position. For example, how much authority is vested in a particular job? What sort of access control will be in place for this position? Effectively communicating job responsibilities requires a close relationship between HR and the information security department, yet security professionals are often left out of the process.
The organization must also place a relative value of importance upon the information in the database that is being protected. Until an organization classifies what the data is worth, it will never know how valuable it is. What would be the impact of the damage to the organization if certain data was lost? For instance, what if the company's intellectual property fell into a competitor's hands? It could put your company out of business.
Another important factor to consider in the IT hiring process is to know more about the type of person you're putting in charge of your information assets. Thorough background checks should be performed before any hiring decision is made. That means more than a simple credit check and 15-second phone call, which is all that transpires in many cases. You need to look into the past of those employees requiring elevated clearance levels to determine if there's a history of disruption or any sign of previous instability. In many instances, this type of information is not discovered until after the person has already been hired; you may then have to alter their job or even terminate them.
Once employees have been hired and put in place, the next point of consideration for HR should involve separation of duties. Giving any one position too much power is rarely a good idea. For the IT professional, there should be a clear separation of duties, whereby one person doesn't have complete network control or authority. It is advisable to divide network responsibilities between at least two people to prevent significant changes within the IT infrastructure. Even if the two positions are totally independent of one another, the position descriptions should be linked to communicate that no one person will have sole responsibility for a particular function, such as access to changing passwords across the entire network.
Companies need to be especially aware of employee behaviour during difficult times. Actions such as layoffs, lack of bonuses or pay increases, or turning an employee down for a promotion can prompt some people to want to 'make themselves more important' – escalating their privileges to give themselves additional responsibilities and control. Companies need to be aware of suspicious behaviour within their network. Therefore, an independent, knowledgeable party such as an information security professional should consistently review network logs to check who has accessed various portions of the database and network. Your company's network(s) and databases must also be segmented with access control best practices in place.
If bad company news, or even the rumour of bad news, is on the horizon, HR should alert the security person to be on the lookout for suspicious behaviour. For example, if there is a massive change of passwords by one individual, or someone suddenly has more authority than they had before, that individual needs to be closely monitored or even isolated until a sufficient investigation can occur. Enforced vacations and job rotations are sometimes necessary for those holding highly sensitive positions.
Any time an organization tries to cut corners with their security and doesn't have enough people in place to provide a separation of duties, the organization runs the risk of putting all their eggs in one basket. The days when it was satisfactory to perform a 'minimum' level of security are gone. Having a second person in place that can understand the technology and undo any damage – or prevent the damage from happening in the first place – is crucial to any organization's well-being.