Catch me if you can

With redundancies, the Middle East faces the possibility of a rise in employee theft of data - but not many companies in the region give it enough credence - or even believe that it occurs

Tags: Al Taqnyah Business SolutionsCA IncorporationData leakageIntellectual PropertyLondon Global AssociatesUnited Arab EmirateseHosting DataFort
  • E-Mail
Catch me if you can LAKSHMANAN: With most of the organisations, the auditors are embedded in IT itself – I don’t say it’s a good idea. (Thanos Lazopoulos/ITP Images)
More pics ›
By  Imthishan Giado Published  August 15, 2009 Arabian Computer News Logo

When it comes to IT security, the vast majority of enterprises seem to treat their organisations as if they were independent countries. The workforce is the electorate (and have about as much say in running it), the various division heads act as governors and the CEO is El Presidente.

This makes the CIO a mixture of both the vice president and the head of intelligence - he or she is the individual charged with both ensuring that the daily affairs of the organisation proceed as planned while keeping an eye out for unwanted threats. Unfortunately, far too many CIOs visualise IT security in the same manner as a border agency - it ends up being about watching the horizon for invaders.

In reality, a significant part of the threat landscape of today comes from within the organisation itself - and to no one's surprise, it's not technology that CIOs have to be worried about. While systems can be patched and hardened and require authentication, the biggest threat to protecting data comes from the users themselves, whose motivations range from revenge to plain old financial gain. For IT managers, it's a monstrous headache to protect data against the very people who are supposed to wield it.

Of course, many in the region do not believe this threat exists. And therein lies the rub - unlike Western Europe and the US where companies are required to disclose data leakage incidents by law, in the Middle East there's no such equivalent. As a result, companies are lulled into a false sense of security.

Richard Gayle, managing director at IT security specialists London Global Associates (LGA), confirms that they are commonplace: "There are various reasons why we don't hear much of them. One is that the organisation suffering these breaches per se don't really want to talk about them because it obviously ruins reputational risk, brand risk and so forth."

"The second reason why the information is not in the public domain is because governance, probity and visibility of this type of information is not in the public domain per se. Now that governance and transparency are hot issues, these issues will become available to the commercial and public environments," he continues.

In fact, many firms actually only look into data security once an incident happens. Ganesan Lakshmanan, principal consultant at software vendor CA, says the problem that too much security here in the Middle East is predicated on trust.

"We can see that it's happening. It may not be reported to the outside world. A few days ago, I was approached by one of the banks who know that the information is being lost. They wanted to have a solution in place. So these incidents may not be revealed to the outside world but it is happening," he agrees.

What motivates these employees to leak data? According to Usman Zafar, managing director of Taqnyah Business Solutions, it's most likely another byproduct of the global financial crisis.

"Especially during the recession, many employees have been laid off. It's very difficult for them to get a place in the market. It's like hit-and-try for some of the employees, especially in the IT security sections. One of the most dangerous traps is when they go out of the company - they take the intellectual property rights. We hear with a couple of the organisations that when the guy leaves the company, they take the data," he warns.

Another problem, says Ahmed Baig, head of business management and advisory services at eHosting DataFort (EHDF), is that IT policies rarely make it clear that the data they use in day-to-day work does not actually belong to them.

"Even though the data is gathered during their job, the ownership is 100% with the companies. That's not very clear to employees around the world, not just here. It becomes imperative to ensure that organisations create awareness and inform employees about the ownership of this information, information handling policies, and so on," he explains.

Unfortunately for IT security managers, virtually every device an employee comes into contact with during the course of the workday is a potential vector for data leakage, either intentionally or otherwise. From flash memory to unrestricted webmail access, there are countless venues for data leakage. The problem is complicated, by the recent proliferation in PDAs and laptops, reflecting an increasingly mobile workforce. While it's easy to imagine that they can be used to carry data out or be mislaid, there's another angle, says EDHF's Baig, which companies neglect.

"Today most of the laptops or servers being used by the organisations are being managed by vendors. In most cases when the replacement of these infrastructure components happen, the security is not given importance when a device or server is taken out of the production but the data is left there in it

I've seen this more frequently with clients - they send the laptops out for maintenance to  vendors and the data is not encrypted. The person who's repairing the device can access the data very easily. People think that if they put a password, that's sufficient but that's not good enough - I can always connect the hard disk to an external device and get access to the complete data," he reveals.

In theory, employees are governed by policies set by the human resources department which forbid treating data without due care. Pantelis Verginadis, technical sales consultant at the InterFRONTIERS group says that it's difficult to protect actual data with policies which exist mainly on paper.

"The only thing you have is your policy - a written one at that. It is left to the discretion of the individual employees as to whether they follow it or not. For example, if the policies state that USB keys are used to transfer data around - and people follow this policy, then you might mitigate it. But if your USB ports are open on your computer, then any employee can plug something in and copy data on it. Then if you leave this company and wanted to leak this data, you can do it whether there's a written policy or not. It's more important for companies that have sensitive data, that they actually put critical restrictions in place that do not allow people to externalise the data," explains Verginadis.

The problem, as LGA's Gayle sees it, is that most companies plan policies but do not maintain them:

"Companies start out with good intentions with the policies in place and the procedures in place checked on a regular basis. What happens down the road is that senior management and executive stakeholders don't continually endorse and support and prod the organisation to continue the rewriting of policies, educational awareness programmes or internal audit and security assessments."

Baig believes company policy and enforcement should remain in HR's domain: "Let's say the enforcement takes place through the HR and security team within an organisation. Any kind of violation of policies has to be done through HR. At the end of the day, if the employee violates a policy and it causes a serious consequence, the violation has to be enforced through HR policies. If you look at our employee handbook, it has security policies - but the handbook itself is owned by the HR department," he explains.

But, he adds, employee awareness of the HR issues should not be taken for granted.

"A lot of the time, employees do things unintentionally. It's very important for companies and senior management to give a very clear message to the audience saying information we use on a day-to-day basis is sensitive. It's important to classify information within an organisation, create awareness for the employees of what the consequences are of losing the information and how they should handle it.  In most cases, only the first half of the message is conveyed. The employees are told that the information is sensitive -   they are not told how they should handle it. Should they stop using it then?" he questions.

One should remember, at this point, that IT department employees are not immune from the regulations of HR. The nightmare scenario for many organisations is a disgruntled IT department worker with the power to do some serious damage. Gayle says the only way to protect against such an eventuality is doing constant, proper auditing.

"I actually audit not only the IT department but we audit in the way -  where we audit the systems administrator or the person in charge and we audit the person above him or her. One of the biggest breaches that take place when the people are the expert, ie the IT department, they're disgruntled and they run off with data. You need a full audit trail from the data sponsor, the data processer and the business owner. If data disappears, the business know what IT are doing, IT know what the IT guys are doing and the main person responsible for the data which is even a systems administrator is also audited," he says.

"If you look at most of the organisations, the auditors are embedded in IT itself. I don't say it's a good idea. What's happening in the current scenario is that business continuity planning and secure risk management is moving away from the IT department and report directly to the CIO," adds CA's Lakshmanan.

"So the role [of dedicated security administrator] is more important now than ever before. It's very clear - now they are like invisible heroes. The moment employees resign from the organisation, they are asked what kind of access they have - so immediately the information has to be confiscated from him and the access removed very quickly."

InterFRONTIERS's Verginadis says background checks are crucial: "The important thing with administrators is that they need to be filtered when they are being hired. Unfortunately when you give them access, then you should know that an administrator has access to more or less everything. You need to be very careful when you choose these people, that you opt for people who are trusted."

Prosecution is another tricky subject, especially in a region where the laws of data protection are weak. EHDF's Baig says the best practice is a two-pronged approach which involves both NDAs for employees and proper laws in place.

"As a preventive measure, most companies take a non disclosure agreement that protects against the employee sharing the information. When it comes to prosecuting employees who have violated the NDAs, it's still not very easy, especially in this region where the majority of the employees are expatriates who come from different countries. It also depends on the kind of bilateral treaties that countries have with each other," he says.

"Countries are realising the importance of information security and coming out with various laws. If you go to DIFC, they have their own data protection law which ensures that the information being used within that zone is protected as per international standards," adds Baig.

In the end, it's virtually impossible to predict when an employee might go rogue - but be rest assured that when that happens, the higher the employee in the foodchain, the worse the impact. The task CIOs have to is find a balance between making sure their employees cannot seriously damage the organisation and not being overly restrictive which might actually give cause for resentment and cause even more problems than the strategy was trying to prevent. And of course - make sure senior management understands the dangers of allowing employees too much freedom.

Legally blind

Many experts place the blame for data leakage squarely on the employee, but there's always two sides to any story. Richard Gayle, managing director at London Global Associates says the company which makes use of the ill-gotten data can be very hard to prosecute.

"If an organisation was unscrupulous, in this market it would be very hard to prove that company A or individual A came into company B and is using the data from A for his own malicious intent. It's very hard to prove. Our company gets involved in forensics cases where someone left the company and you need to have in the forensics domain, circumstantial evidence as proof of the data leaving from the company to it being used in another company and it's very difficult to prove," he says.

"That can only change when we have a data protection act here throughout the region, not just in the financial centre. That is, as we speak, in draft mode in Abu Dhabi. There will be a data protection act fairly soon here," ends Gayle.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code