Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.

January 17, 2013

Much ado has been made about the hacking threat from overseas, with regard to cybersecurity.[1]  Indeed, several commentators repeatedly reinforce that belief.[2]  The truth, however, is that Information Technology and Information Systems (IT/IS) employees and contractors, right here in North America, might be the greatest danger and the weakest link in the chain.  The story recently surfaced of a man who had outsourced his many software development contracts at several different employers, to offshore developers in China.[3]  He provided them with all his access codes and scripts, and was basically absent at work.  For how long he did this, or how much additional data those sub-contractors were able to access and potentially download from those employers, and who they were … we may never fully know!

 

As I have stated at length,[4] you need to take a comprehensive approach to Cybersecurity that also watches the employees and contractors at your back, while you are watching the outsiders in front of you.  In scanning only those 180 degrees left to right, and those 180 degrees north to south at your front, you are missing exactly that same size of iceberg at your back.  You must engage in strict Segregation of Duties, initial background checks, datalogs and audit trails, constant network monitoring, and other actions.

 

Apparently, only one of his employers noticed a problem, and sought (outsourced) a deeper look.  Even then, why did it take so long for them to discover that: (i) the credentials assigned to a domestic worker; (ii) were accessing the system out of work hours, almost non-stop; (iii) from a place where the worker was not last noted to have traveled?  There needs to be more of a focus on internal security, employee access logging (where and when, for how long, and how frequently), and real-time system access audits.

 

Clearly, it seems that some U.S. employers are still far from having a serious approach to Cybersecurity.[5]

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is also an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

 


[1] Mark Clayton, Staff writer.  Cyber security in 2013: How vulnerable to attack is US now?  Published on csmonitor.com, January 9, 2013.  Online: >http://www.csmonitor.com/layout/set/print/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video<

[2] Ed Beeson/The Star-Ledger.  N.J. businesses should brace for higher cyber security costs, complexity, experts warn.  Published on nj.com, January 15, 2013.  Online: >http://www.nj.com/business/index.ssf/2013/01/nj_businesses_should_brace_for.html<

[3] Claire Gordon.  Man Reportedly Outsources His Own Job To China — Then Spends His Time Watching Cat Videos.

Published on jobs.aol.com, January 16, 2013.  Online: >http://jobs.aol.com/articles/2013/01/16/man-outsources-his-own-job-china/<

[4] Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.

Published on ogalaws.wordpress.com, December 9, 2011.  Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[5] More details about the May, 2012 discovery of that employee are available here.  See Andrew Valentine.  Case Study: Pro-active Log Review Might Be A Good Idea.  Published on verizonbusiness.com, January 14th, 2013.  Online: >http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/#more-2659<

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: