I recently spoke at an information security conference for Lawyers in Manchester. It was a good event, and there were lots of interesting discussions while there. However, it has been in some of the follow-up meetings, with more in-depth conversations that the penny has dropped over one particular issue –access to information.
Both legal firms and accountancy firms hold enormous amounts of sensitive data and confidential files, aka ‘critical information’ – which belongs to individuals or organizations. And, lawyers and accountants are inherently trustworthy. These are companies which we deal with on a personal or corporate level to carry out specialist work which we cannot do ourselves. Hence, we share with them our sensitive information which they work on.
There is a generalization that (almost) all employees inside the organization have access to (almost) all information held by the organization. The world of Open Systems is all about providing open access to information to anyone, no matter what the role or where they might be located. A great deal of trust is bestowed from the top down based on the need that, if required, anyone can ‘help out’ on any case or project. This access is granted on Day 1 as part of the induction process – and revoked on the day the individual leaves the organization. It doesn’t seem to matter if the person joining is a senior partner or an intern – access is granted.
And so the system has worked for many years, even decades. However, the world has changed. In fact, the world changed a long time ago but there is still an “it won’t happen to us” or a “we trust our people implicitly” attitude. When information was hard to sell or use for personal gain, this might have been seen as a reasonable defense, but today statistics and media stories show otherwise.
‘Those in who we trust’…can sometimes cross the line
Let’s go back to 2013 and the case involving Edward Snowden. Snowden was a trusted insider. Who can imagine a tougher process of vetting than that used by the USA who leaked hundreds of thousands of documents? Or how about Bradley (now Chelsea) Manning in 2010 who leaked 750,000 sensitive military and diplomatic documents. But let’s move a little more up to date, the 11.5 million leaked documents from Mossack Fonseca. While the individual (or group) remains anonymous, it is clear that the security was not adequate and there was no segmentation of the information stores. This meant that once the individual had access to the system, all the information was available – there was no limit on what could or couldn’t be seen. Emails, databases, files and images all became known to the world.
It was not just about current documentation or data, it went back through the decades as well. It can be argued in all of these cases that the information leaks were not for personal gain, but rather to expose the organization for one reason or another. For Mossack Fonseca, the reason given was income inequality – a grudge.
When talking through these cases and asking about information handling and access policies, it seems that many legal and accounting firms would be susceptible to a breach of all information through a malicious insider. Hence the ‘lightbulb’ moment and the penny dropping.
Evolving your stance on security and who can 'access' information
Importantly, threats today are not just from the malicious insider. Everyday employees can accidentally send the wrong information to the wrong person which can result in a significant data breach. There’s also sensitive data loss risks in the form of ‘invisible’ or hidden metadata (think author names, track changes, system/printer data, dates etc.) attached to the documents and files employees work on which gets shared or published inadvertently on a daily basis. External threats include ‘data harvesting’ (eg. from your website) by cyber criminals which they use to create more targeted attacks on your organization. Then there’s Malware and Ransomware attacks - both can run rife in a flat environment with no controls and could shut down the business completely if it enters your organization and strikes.
There is however, a fine line that needs to be drawn between putting appropriate security into a company that has previously been very open and making it seem that you no longer trust the employees. Your initial approach should be to execute an awareness campaign, educating your staff on the information security risks your organization is susceptible to, and therefore ‘why’ tightened security processes need to be put in place.
Reduce the number of people who have access to critical information, reduce the risks.
This move from the laissez faire “need to know – but everyone needs to know” found today, to an enhanced security posture of “really, really need to know” is something many organizations are now embracing, including the military. And it’s for a good reason – keeping critical information safe which in turn keeps the business safe.
Information security risks are proportional to the number of people who have access to your critical information. Reduce the number, reduce the risk. New processes might be needed to enable rapid access to those who now need to know – but it shouldn’t be access for all, especially the intern.