April 13, 2009, 10:40 AM — The economic crisis has Michael Hamilton worried about worst-case scenarios. One of those isn't losing his job. But as CISO for the City of Seattle, he has to worry about everybody who does lose their jobs.
Laid-off employees could have access to systems that control local utilities, water purification systems, transport systems, public safety systems-Seattle even runs its own municipal power, meaning that it has systems in place that control dams all the way into Eastern Washington.
"The top impact is always the loss of life-that's the worst thing that can happen," says Hamilton. Most data breaches (take this one, for instance) by comparison look merely like an annoyance.
Not that it would be a cheap annoyance to lose data-the Ponemon Institute estimates that each record lost would cost a company $202, not to mention brand equity. Nor does Hamilton take the potential for data breach lightly. Besides death, Hamilton has Terry Childs on his mind. Childs is the San Francisco network administrator who allegedly held the City of San Francisco's network passwords hostage and has been in jail for months awaiting trial.
In the wake of the Childs incident, he hopes the city avoids laying off network administrators or anyone else with high-level systems provisions. "It's a little terrifying" to think about, he says. There's plenty of fear going around right now. The U.S. economy is suffering one of its broadest downturns since World War II, and widespread layoffs have created the likelihood of significant security breaches. Fifty-nine percent of U.S. employees who left a firm in the last year knowingly stole data from their former employer, according to a Ponemon Institute survey of 1,000 people. (See an analysis in Laid-Off Employees as Data Thieves?)
The report, released in February, was sponsored by Symantec. Meanwhile, more than 58 percent of U.S. workers surveyed by Cyber-Ark, an identity management firm, said they would download company or competitive information if they thought they were going to lose their jobs. Granted, all these studies were funded by security companies, which have a vested interest in their outcome. Ironically, the best way to head off data theft in a time of layoffs is probably to focus on the people involved. Technology and processes often, at best, help companies monitor data theft, rather than stop it.
It's simple, says Ponemon: If you can lay employees off but still leave them with a favorable impression of their company, they are less likely to take data.
They're also less likely to come back with guns a few weeks later. The challenged state of the economy has made executives jittery about the impact of layoffs. "For the first time, I'm hearing people in crisis management meetings say, I'm scared. I want security here,'" says Kirian Fitzgibbons, director of special services at the Steele Foundation, a San Francisco firm that handles physical security and risk management. He says that firms are far more nervous about volatile employees than they were during the dotcom bust, with more requests for extra personnel at layoff sites and for extra security on executive floors. (See How to Prepare for Workplace Violence.)
Part of that is the simple scale of the downturn-Fitzgibbons says that typically Steele consults on two to three mass layoffs a year. Right now, it's doing that many a month, and sometimes in a week.
Companies should know that being laid off is not typically something that will prompt violence. "Losing your job and losing something else is what does it," say Fitzgibbons and other security consultants.
"TIP: Randazzo recommends involving red-flag employees in the layoff process, as much as possible."
Almost every company has a "red flag" employee-someone who's had run-ins with management or other employees. During layoffs, companies need to be especially careful about how these people are treated, says Marisa Randazzo, a former chief psychologist for the U.S. Secret Service and president of Threat Assessment Resources International, a security consultancy in Sparks, Nev.
"Companies may think that the bad economy makes it a good time to get rid of bad eggs, or difficult employees. But once they're no longer part of the organization, you don't have the ability to monitor their behavior nearly as well or to do intervention," she says. Indeed, companies need to recognize that problem employees often are symptoms of bad management. Randazzo tells of a laid-off worker who threw his chair through the conference room window and threatened to come back with his guns. It turns out that the company, which put on sporting events, had hired the systems administrators with the promise of attending the event they were working on. It laid off this worker and several others just two weeks before the event, with no mention of free passes to the events.
"These folks were ticked off, understandably, because they'd been promised something and it had been taken away," she says.
Of course, the vast majority of employees are not red-flag employees. But they still need to be treated with dignity.
In this economically driven layoff climate, put people first, and put yourself in their shoes, says Bruce Jones, global IT security and risk manager for Kodak. "You're not laying them off for performance, but for business conditions," he says. "You make sure you treat people accordingly."
Kodak has the layoff drill pretty much down; it's spent much of the last decade being buffeted by the shift to digital imaging.
"TIP: Get people moving forward."
Kodak typically lets employees keep basic network access for a few weeks after a layoff, to help transition their work and in case they are able to get another job within the company.
Organizations can even protect themselves from Terry Childs scenarios. Chad Thunberg, the chief operating officer at Leviathan Security Group in Seattle, says that early in his career he took over for a systems administrator who had been fired for cause. Two days later, the ex-employee hacked into the network and took down a number of important servers. It took 24 hours to get them back online. That company, like the city of San Francisco, had allowed one person to have sole control over too many systems and should have split off some of his duties, as well as designated a backup who would know all the same access and permission codes.
Once layoffs are complete, companies have to do a good job on the nuts and bolts on three fronts:
1. Removing laid-off employee access to company resources in timely fashion;
2. Keeping data from flowing away from the company;
3. Protecting data where it's stored.
Technology and processes can help with all three. Every company has ways to get employees access to systems, and to remove that access when the employee leaves, no matter what the circumstances. But they don't necessarily use it well. One stunning data point in the Ponemon survey is that 24 percent of employees let go still had full systems access days later. In fact, more than one-third of those employees still had full access more than a week later. "That is a broken process," says Ponemon.
Deprovisioning doesn't have to be such a nightmare. The technologies in the last five years have improved greatly. Whether it's Active Directory, OpenLDAP or some other tool, "most systems accomplish deprovisioning with ease," says Greg Shipley, CTO at Neohapsis, a security consultancy headquartered in Cambridge, Mass. (Also see BT's Termination Checklist for a full list of assets and privileges to consider.)
But process "gotchas" plague many companies, Shipley says. Not all applications get added to the system. Individual accounts may not get added in, particularly for employees that predate the deprovisioning process. There may not be procedures for changing "god" accounts like root and administrator accounts, or the "enable" password on network infrastructure. Remote accounts that are active may be overlooked, leaving someone logged in with full access, even though they've been deprovisioned.
Shipley adds that so much focus has been on hiring in the last few years that some identity management systems are much better at granting access than revoking it.
Kodak's Jones agrees that centralized provisioning has improved in the last few years. Kodak has moved to centralized provisioning via Sun Identity Manager, and "it's been a big benefit to us," he says.
While deprovisioning has improved, the tools could still be better, he says. "The biggest weakness is the interface between whatever provisioning identity management tool you use and all your applications," says Jones.
Oddly, in this Web-based era, companies tend to forget about access to Web-based software. "I honestly don't know why companies miss this," says Thunberg. "A majority, if not all of these environments, have a way to track them."
Perhaps the weakest point in any deprovisioning process comes from external partners or vendors. When those companies lay people off, they may not deprovision them. Hamilton, of the City of Seattle, says that while you can write contracts and service-level agreements requiring contractors to deprovision people who are laid off, you don't have direct control over the process.
One day this March, a door was propped open on a floor with important IT systems at the City of Seattle. In fact, the door could not be locked, meaning that anyone could potentially have gained access to systems. Monitoring might have alerted the city to large data dumps taking place, but a data thief could have easily been out the door before anyone could do something about it, says Hamilton.
Hamilton says that he and his staff have to be on the constant lookout to help prevent data leakage. With layoffs pending, he's heightened his monitoring and is considering things like tagging certain employees with special monitoring agents.
Still, there's only so much companies can do with monitoring.
"It's hard to get a handle on data leakage-there's so much data in file cabinets as well as on systems," says Michelle Drolet, CEO of Towerwall, a security consultancy in Framingham, Mass.
Indeed, the Ponemon study found that 61 percent of those who take data take it in hard-copy form.
"TIP: Good employee relations may be the best bet for preventing data leakage."
But there are plenty of ways to know if employees are trying to transfer large amounts of data digitally. And most companies are probably already using them-there is always an insider threat. Kodak's Jones says that companies should set monitoring tools and alerts based on perceived threat levels, "and apply them regardless of whether people are being laid off or not."
Some firms have to be more aggressive about handling data access than others. A midsize financial services firm recently did a significant layoff. To minimize data loss, two days beforehand it put a group policy command into Active Directory to prevent people from burning CDs or using USB sticks to get data. Even the help desk did not know what was happening.
"We just let them scramble and try to figure it out, knowing they couldn't fix it," says a security administrator at the firm, who asked not to be named. "It was a waste of time, but it's what we had to do."
He says the firm also laid off high-level network administrators first, and did not allow them back to their desks to get their things.
There are tools to allow whole disk encryption, most notably from PGP, which is particularly useful when dealing with laptops. Varonis offers a tool that lets companies control who has access to which data.
But for things like preventing salespeople from taking their contact lists with them when they leave a firm, technology only goes so far. "I don't know of a solution to secure stuff like that on a Windows Mobile device or an iPhone," Thunberg says.
In the end, monitoring and auditing data transfers are reactive technologies. At best, if employees know such tools are in use, it may deter brazen thefts.
Finally, CSOs need to rethink their functions after layoffs.
"As staff get assigned other duties, security is less likely to get good monitoring and our safeguard procedures and processes are less likely to be executed," says Tony Lucich, chief information security officer and enterprise architect for County of Orange, Calif. Lucich says that IT departments need to reprioritize what is considered critical because fewer people will be around to make it work.
"TIP: Figure out which hatches you can actually still batten, and close all the others."
That's echoed by Kodak's Jones. He's streamlining by looking at where he can reduce the number of suppliers he has, saving time and potentially money as well. For instance, Kodak uses Voltage for e-mail security, but has other vendors provide software for things like Secure FTP. Jones says he's considering adopting the secure file transfer feature of Voltage.
In the end, Jones says, securely handling layoffs means more than just the process itself. "All CSOs need to think beyond the layoffs and think about how to operate effectively with a smaller team," he says.