Tag Archives: RIF

safeguard your head office small business

A word to Teva on firing employees and assuring data security

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book

In early December 2017, the Israeli pharmaceutical generics company Teva announced it would lay off about 1,700 of its employees in Israel, who make up about 25% of all the company’s employees in Israel, out of a total workforce of 6,680 employees.    Without diving into the emotional implications and political opportunities the big layoff creates – I suggest taking a different look at the problem.

What kind of risk are you creating when you fire a big chunk of your work force?

When a big global, publicly-traded company like Teva decides to fire a big piece of it’s work force – it’s to reduce costs in anticipation of reduced revenues and preserving or improving the share prices.

Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since  companies view information security as a luxury, not as a must to run the business.

There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 1700 employees are being fired in a short period of time in a business unit.

When firing large numbers of employees, the unauthorized network transfer of sensitive digital assets belonging to the company should be (but is rarely) a key concern for the CEO. Here are a few true examples of trusted insider theft of digital assets and intellectual property  during a big RIF – all cases are true:

  • Sending suppliers  classified RFP documents
  • Exploiting production servers with anonymous file transfer protocol (FTP) turned on in order to send large quantities of confidential product design documents
  • Break-ins, bribes and double agents (workers who spy for other groups or companies) taking advantage of the chaos caused by RIFs and strikes.

The business need to use advanced technology to detect and prevent data loss drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure (like Teva), the need for data loss prevention becomes more acute as more and more people are involved with less and less allegiance to the firm.

High risk appetite and waiting until the last minute?

In my experience (and this is supported by prospect theory), highly paid CEOs wildly underestimate to the point of ignoring them completely, high impact, low frequency events like trusted insiders and outsourced IT staffers stealing IP during a big RIF.

In normal times, a key part of formulating and establishing information security   policies for your organization is in deciding how much risk is   acceptable and how to minimize unacceptable risk.

This process initially involves undertaking a formal risk assessment which is a  critical part of any ISMS.  However – it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process.

Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.

When a company fires wide-scale – the word dynamic and continuous takes on new meaning.  We are no longer in Kansas anymore when we can ask KPMG to come in and do an organizational risk assessment using their standard questionnaires.

In times of massive layoff – you need to throw away the standard forms and use a threat-analysis based checklist to reevaluate your digital value at risk on a daily basis.  The rationale behind the threat analysis is to mitigate the tendency of top management to ignore high-impact, low-frequency events:

  • Think like an attacker.  What would you steal if you had the opportunity?
  • Use systematic approach to estimate magnitude of risks (risk  analysis).
  • Compare estimated risks against risk criteria to measure the  significance of the risk (risk evaluation)
  • Define the scope of the risk assessment process to improve  effectiveness (risk assessment)
  • Undertake risk assessments periodically to address changes in  assets, risk profiles, threats, safeguards, vulnerabilities and risk  appetite (risk management)
  • Risk measurement should be undertaken in a methodical manner to  produce verifiable results (risk measurement)

 

Tell your friends and colleagues about us. Thanks!
Share this

The danger of losing your digital assets in a down market

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology.

A stable organization undergoing rapid and violent change is an oxymoron.

People countermeasures are a mix of security awareness training, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence.  Andy Grove once said “Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.  When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos.

Processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data.  A simplistic example is a process that allows a customer service representative to  read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker.  In a merger or acquisition – business processes change and if one believes in Murphy’s law – never for the best.    A rule of thumb I like to use is that many security vulnerabilities lie in the cracks of systems and organizational integration – in an M&A – those cracks can look like the Grand Canyon.

Technology countermeasures are never a panacea and must always be measured for cost-effectiveness.  Today’s defense in depth strategy is to deploy multiple tools at the network perimeter and endpoint. Firewalls,  IPS and malicious content filtering at the perimeter and  removable device control and personal firewalls at the endpoints,

Although defense-depth is a sound strategy – it can develop three vulnerabilities in times of rapid organizational change.    One – most defense in depth  information security is focussed on external threats while in an  organization undergoing rapid change – the problem is internal vulnerabilities. Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security. Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems.

Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. recently told  Robert Westervelt in an interview  on searchsecurity.com that “mergers and acquisitions force IT security pros to be more aware of internal threats”.

No argument  – until the closing paragraph which had some dangerous best-practice boilerplate:

Adequate security is difficult to implement, but once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.

Correct- but for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.

Tell your friends and colleagues about us. Thanks!
Share this