Home > California CPA Magazine > 2008 TBRG > Keys to Securing Data

Keys to Securing Data

Technology & Business Resource Guide 2008

by Robert P. Green, CPA and Rick Mark

Mother Nature Isn’t the Only One to Worry About When it Comes to Protecting Data

You may think you have heard enough about disaster preparedness. But we’re not here to talk about avoiding or limiting losses from a natural or unplanned disaster since you’ve likely read much about that important topic—and have taken appropriate loss prevention steps, right?

Rather, consider other kinds of systems-oriented “disasters” that hit businesses directly in the wallet.

The losses from these kinds of disasters are increasing because of a heightened reliance on digital information and are often the result of placing too much trust in the people and security practices in a business. The resultant losses include lost customer relationships, misappropriated confidential information and extensive forensic and litigation costs, to name a few.

Let’s see what happens when these unnatural disasters hit—and what could have been done to prevent anything from happening.

The Setting
ACME is a thriving e-commerce business known for its distinctive selection of gourmet foods that appeal to affluent and corporate buyers. Sales have been off the charts since its inception. Much of that success is attributed to the head buyer, who has a flair for introducing in-demand, hard-to-find food products. For that talent, and for fear of losing her to competitors, the head buyer has been paid very well, making even more than the president, over the past two years.

This pay issue greatly disturbs the accounting manager, who has been unsuccessfully clamoring to the CFO for a promotion (and pay raise) to controller for more than two years. The CFO is also well-paid, yet has little work to do most days and spends most of his time on the internet.

This mildly tense situation is about to get a whole lot tenser with some difficult-to-foresee IT disasters. A little preparedness, however, can prevent such things from happening to your company.

Day One: Lost Competitive Advantage–and More
Upon arriving in the morning, ACME’s president learns that the head buyer has resigned and is not returning calls. She has accepted a vice president position with a competitor, and the competitor’s website now shows a selection of products for sale that used to be available only on ACME’s website.

After a costly computer forensics and legal nightmare, ACME learned that the former head buyer, while still an ACME employee, had been copying network-stored files onto her USB thumb drive and corresponding with suppliers and her prospective employer through her personal e-mail. Among other information, she copied or sent sensitive and confidential files, including supplier contracts, merchandising plans and customer records.

Further, when the president called his attorneys, they reminded him that he never returned any comments to them on the draft version of ACME’s initial employee manual, which spelled out requisite protection policies. These protection policies should enforce, among other things:
•    The appropriate use of ACME’s business information systems, both at work and at home. More specifically, but not comprehensively, the prohibition of the use of personal e-mail accounts, instant messaging and other personal related activities while connected to or using ACME’s systems, and the acknowledgement that any activities performed on ACME’s systems are considered to be available to view and capture, electronically, by ACME at any time.
•  The definition of confidential and trade secret information, as well as the rules intended to protect such information from employee theft.
•  The ownership by ACME of processes, trade secrets and methodologies that are developed by ACME employees.

Through a proactive strategic approach to information management, however, company officials would have been more prepared. Such an approach would have established IT-based internal controls to prevent people from moving or “leaking” sensitive and critical business digital information and trade secrets. These controls include software- and hardware-based tools administered by a competent IT staff under authorization by the company executives. 

These tools fall into several categories and would have helped mitigate the theft and other digital misbehavior by the head buyer.

Data Leakage Protection (DLP): This category includes software and hardware that limit the movement of electronic information through strategically managed business rules and software-aided intelligence. For instance, these tools can be configured to prevent certain kinds of files or specific terms to be sent anywhere, by anyone or certain users, via the internet, from the corporate network (e.g.; e-mail, webmail, uploads, etc.). These tools also provide security over data movement on a user-by-user basis, if desired.

Network Access Controls (NAC): This includes software and hardware that protect the network and data from harms that occur when non-approved devices are attached to it. For example, NAC tools can disallow the use of USB devices or other portable hard drives for any given selection of PCs on the network, as well as limit the copying of information to and from such devices. This precludes users from stealing information via a PDA or an iPod, for example. NAC is also associated with “endpoint security,” which refers to the security over the data coming in and out of the extremes of a network’s reach, typically the workstations and remote PCs.

Keep in mind, however, that like most everything in the IT world, there is no protection standard. Security tools and processes can vary dramatically in value, price, capability and complexity. While many of these tools—at least at an entry level—are more affordable than before, they still require reasonable expertise to implement. For basic foundational endpoint security, certain publishers of anti-virus software offer affordable (in the low thousands for small office network) solutions with reasonable scopes of protection.

For complex DLP and encryption-oriented NAC tools, be prepared to spend into the tens of thousands at a minimum. In any event, it should be upper management that dictate the nature of risks to manage.

From the legal angle, ACME should have engaged their lawyers to create and implement an employee manual containing policies that would provide stronger legal means of protecting its information. Had such policies existed, they could have established that rules governing the behavior of employees on their systems existed during the head buyer’s tenure. This would have aided in the process of prosecuting the head buyer and her new company.

Day Two: Lost Controls Over Systems and Loss of Key Internal Info
The accounting manager gave her notice. She didn’t return any calls from the president or CFO. She left a note saying she was pleased that ACME was getting its just dessert by having placed too much faith in the former head buyer. Not surprisingly, all users were locked out of the accounting and payroll software. The former accounting manager was the only administrator-level, full rights user. And it was payday.

Personnel records and benefit, payroll and wage adjustment details, typically found in Microsoft Word files stored on the server were not found. The CFO had to manually write checks to the 50 employees, using best estimates of payroll figures, health care deductions, employee loan repayment and other adjustments. Morale hit an all-time low, and the CFO didn’t care for the interruption to his web activities, either.

Preventative measures here could have included network file deletion software controls to ensure that any data deleted from the server would be captured for use by authorized users, for purposes of retention, replacement or deletion. Also, ACME would have implemented internal network spying software, such that any of the accounting manager’s activities could be captured in screen shots.

This kind of information proves helpful in termination-oriented litigation and the ability to settle prior thereto. Visual proof of systems-based wrongdoing, when shown to the former employee, can be very convincing—and can mitigate this kind of activity from happening again by others. This kind of software can be among the most affordable tools in the monitoring arsenal, offering limited functionality for as little as hundreds of dollars to manage a few isolated computers. 

Day Three: Sexual Harassment Hits ACME
The president was notified of a sexual harassment claim involving the CFO. Apparently, unbeknownst to the president or other executives, the CFO’s web activities were far from business-oriented.

That morning, a purchasing clerk left the CFO’s office disturbed, immediately gave her resignation notice to the HR manager and later filed the harassment claim. Apparently, when she entered the CFO’s office, he was viewing an explicit online video. The costs from this experience proved quite painful and significant to ACME.

Financial losses stemmed from legal and investigative services, as well as related settlement costs. The CFO was fired, leaving no accounting staff to handle the company’s financial activities. Finally, ACME’s once glowing public image became tarnished from the public humility stemming from this matter.

Preventative measures here include paying more attention to legal practices surrounding sexual harassment in the work place. Moreover, the president would have been counseled by his attorneys and IT administrator that his laissez-faire management approach was inappropriate inasmuch as it allowed for a casual policy about web activities. Clearly, the president was too comfortable in his assessment of the intentions of his staff.

He should have long ago established internal IT controls that would have been used to mitigate or avoid the CFO’s behavior. These controls include those that govern activities allowed when using the web, as well as to monitor the sites visited by system users.

Using these controls, for example, the president could have chosen to be alerted to inappropriate web behavior or simply have specific kinds of web behavior (or specific websites) be blocked from any, or all, users.

The tools to control web behavior start as low as a few thousand dollars, yet most smaller businesses don’t believe it is necessary—until they’ve been hurt, like ACME. Like any of these controls, web behavior tools should be deployed under directives of upper management and be referenced in employee manuals.

Lessons Learned
These financial and nonfinancial losses are the result of inappropriate behavior, principally aided by the use of information systems resources. They could have been mitigated with the use of IT controls, management oversight and the aid of counsel—in a proactive manner. These kinds of “disasters” deserve as much preparedness as their natural disaster cousins—if not more—if the business relies greatly on its critical digital assets. Otherwise, any business can face its own version of ACME’s troubles. 

Robert “Bob” Green, CPA, CITP and Rick Mark are president and chief technology advisor, respectively, of insync Information Management, LLC in Los Angeles. You can reach them at BGreen@insyncIM.com and RMark@insyncIM.com.