Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« January 28 is International Data Privacy Day | Main | Some more information and ideas for Data Privacy Day, January 28 »

Insider Threat: Worker Deletes 7 Years of Files; Lesson? Make Backups!!

Here is another example of what a worker, entrusted with access to business files, can do...and also provides a lesson about business continuity...

I just watched a CNN clip, "Cyber Sabotage" that provides a very good example of how costly the insider threat can be.

Marie Cooley, an employee at the Jacksonville, FL, small business Steven E. Hutchins Architects, read the paper one Sunday morning, and saw what she thought was a help wanted ad for HER job.

So, she went to her office that night and deleted, using her authorized access, 7 years worth of the architect firm's files.

Steven E. Hutchins Architects valued the files at $2.5 million.

Guess what? The business did not have backups!!!

The business was able to get the files back, though, using forensics methods.

And then...here's the kicker...come to find out the owner was NOT planning to fire Cooley; the job she had read about was for Hutchin's wife's business.

For doing this 2nd degree felony Cooley could get 5 years in prison.

Just a couple of lessons learned:

* The insider threat is very real, in businesses of all sizes. There are unlimited motivations for workers doing bad things with their authorization. As this case shows, even a perceived, but not real, threat to a worker's job can trigger her to try and take down the business with her.

* Make backups of business files regularly! Store the backups in a SECURE offsite location (this is not an employee's basement or car trunk). Businesses of all sizes MUST make regular backups. This example demonstrates how costly not having backups can be. It's a good thing that Cooley didn't do more than just a simple delete of the files...if she had known more about how to permanently delete the files the architect would have lost the files for good.

Small and medium businesses (SMBs) often neglect making regular backups, or providing training to employees to prevent them from doing bad things in the name of saving time and money. However, not addressing security could ultimatey put them out of business.

Tags:                                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on January 25, 2008 10:19 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/636

Comments

This article should be required reading for anyone applying for a business license. You would be amazed at all the intelligent and successful people who come to me desperate to get their data back, because they have no backup at all.

Posted by: Craig Herberg | January 27, 2008 4:52 PM

Thanks for your note, Craig.

Unfortunately I, too, have seen WAY too many organizations...of all sizes...with completely inadequate BCPs, DRPS, and little to no backups. It's too bad too many companies have to experience an incident or two before realizing the importance of security and business continuity planning.

Rebecca

Posted by: Rebecca | January 28, 2008 10:10 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.