Over the last 6 months CEO’s, Executive Boards, and Small Business Owners alike have been making Strategic Plans for a Romney Victory and for the Re-Election of President Obama. It has been said that elections have consequences, and if recent reports are accurate, there will be significant consequences if President Obama is re-elected. A CNBC article points to 1.5 million jobs being lost due to new EPA rules poised to go into effect. Additionally, several CEO’s have notified their employees of potential job loss. In a recent CNBC article, David Siegel, the owner of Westgate Resorts detailed the impact to his business and possible staff reductions. Also with the mandatory cuts to social and military programs, millions more may lose their jobs. In a conversation with a friend last night he informed me that he needs to evaluate his companies 500 US employees and plan for a staff reduction to 200 if the President is re-elected.
With these significant changes to our economy in mind, it is essential to discuss data security impacts and risk mitigation strategies for managing staff reductions.
Risks associated with layoffs and staff reductions
For many businesses layoffs, reductions in force (RIF’s), and other staff reduction decisions are made in the interest of the overall business. These decisions are usually made with great regret by management, but are understood to be a necessity to “keeping the doors open.” Unfortunately, for those on the receiving end of those layoffs the view is not often aligned with management and accepting the news as “for the greater good” is not generally done. Instead, feelings of animosity, ungratefulness, anxiety, anger, and guilt are felt by those being asked to depart and as such there is a propensity for those employees to make decisions that are no longer in the best interest of the organization but in the interest of their own well being.
The risks to business information, intellectual property, and other assets increases significantly during these trying times as employee anxiety increases and the need to protect their future options increases. While the risks may differ across industries, management must be mindful of the notion that trusted employees will begin to take a “whatever it takes” stance to ensure they can bounce back if they are laid-off or otherwise released. This being the case, management must begin making preparations for increasing the protective controls surrounding their most critical information before the water-cooler conversations turn to rumors of staff reduction.
Pre-action steps to protecting the most critical information and business assets should include understanding the current state of the organizations information technologies and the ability to prove the who, what, when, where of user access events to critical information. The ability for an organization to monitor information assets for inappropriate access will provide management with an ability to take action before critical information leaves the organization.
Understanding the level to which user account entitlements unnecessarily expose access to information is a critical first step in protecting business information assets. Generally speaking there are two categories of user accounts within the information technology infrastructure; the first is that of a privileged account and is necessary for the day-to-day administration of systems and user account entitlements. These accounts are required to support the IT infrastructure and many operational activities and as such usually have full access to all information within the organization. The second category is that of the business user. These accounts are used for access to business applications such as email and applications and should be governed by the principle of least privilege. That is to say that these accounts should be controlled in a manner that provides only enough access to support the user’s role within the business. While this is an over simplification of the actual user account environment for most organizations, it should illustrate the idea that there are differences in user account access and management should understand that there are users within the organization that will have the means to access and remove sensitive information. Focusing on greater separation of these accounts in conjunction with controls that monitor access to sensitive business assets will help management identify the highest risk roles within the organization and adjust the staff notifications accordingly.
After the key questions of user access have been addressed the next component that must be understood by management is the differing ways in which information may be removed by employees. Questions such as – Who has access to the corporate network from remote locations? Do they have the ability to move files between computers via that remote connection? If a user attempted to move files or folders across the connection would the business know about it? How many computer assets within the organization have the ability to copy data to CD or DVD media? If a user inserted an external USB device, would that activity be monitored and result in alerts? Can email be used to send information in the form of attachments and are there any controls in place that monitor for sensitive information in those attachments? The essence of these questions can be summed up as: What has the organization done to address data leakage and to what extent can those controls identify this activity? While it may be infeasible to deploy such controls, especially in an organization that is preparing to undergo staff changes, organizations that have previously deployed them should understand the current capabilities and any gaps that exist. These gaps may then be addressed through the utilization of features and controls or simply monitored in an alternate way.
Image Courtesy of LadyDragonflyCC <3