What to do?

27Aug08

Recently I was asked by someone we will call Judy “What to do” about a particular situation.  I am usually pretty quick with accessing the situation and giving an answer, but this was different.  If a few details were missing my answer would be easy.  With that said, I am going to post the details here and I’m interested in hearing what you would do.

Judy works in the IT department doing help desk and junior level sys admin stuff.  While working on Bobby’s machine Judy came across an email that Bobby NEVER should have sent.  It contained very confidential employee data (salaries, bonuses, addresses, benefits, tax id numbers, etc.) as well as company performance numbers for the past couple years.  Bobby sent this massive spreadsheet to a friend outside the organization and without any type of encryption.  So not only is Bobby intentionally sharing confidential information with someone who should not have access to it, but he also is sending it across the internet in clear text.

If the details ended here my response would be that she needs to report this to Bobby’s superior and make sure they understand the risk brought forth by his actions (not to mention that it should be against policy).  Ah, if life were so easy.

Turns out that Judy never should have been looking through Bobby’s email.  The problem Judy was working on did not require her to browse through Bobby’s sent items let alone read messages.  To compound things, Bobby is the guy Judy would report this to if it were any other employee.  Judy just found something bad that her boss has done, but she shouldn’t know that he did it.

My first question was whether or not Bobby was being malicious, was he sending this information to someone who stands to gain from receiving it.  Judy didn’t seem to think so as it was sent to a close friend of Bobby’s that holds a similar position at another company.  Next question was whether this was a one time thing or is Bobby constantly sending confidential data offsite?  Judy didn’t know and didn’t want to find out.

Looking at this, I’m not 100% sure what she should do.  Judy likes her job, so the idea of calling her boss on this isn’t too appealing.  She could go directly to her boss and let him know that this shouldn’t happen, but then the question of how she knew comes into play.  She could go above her boss, but the same question will remain.  Reading other users email without authority will probably get her fired or at the very least she’ll lose all trust within the organization.

So what advice did I give her?  I told her to put together a plan to implement a network audit for “sensitive numbers” and other confidential information to see where it lives.  My thought is that if she can pitch this plan and get approval to perform an audit it will give her better incite into where those sensitive files are, but also gives her a legit reason to find the email that started this whole thing.  I also advised that she avoid reading other users mail!

What advice would you give?

Advertisements


3 Responses to “What to do?”

  1. She should forward the bosses email to a bittorrent site (with sensitive information redacted) and then just happen to “run across it” =)

  2. Amrit’s idea is one way to do it. But I think the best answer is the one you have. The reality is if it happened once, it’s likely to have happened a bunch of times. So you push for an analysis to find sensitive data (can even be done under the auspices of PCI) and make sure it looks in the email folders in question.

    Then it’s not your friend, it’s the “process” that uncovered the bad behavior.

    And clearly the boss isn’t too bright. Isn’t that what Gmail is for?

    Mike Rothman
    http://www.pragmaticcso.com

  3. 3 Dave Gilmore

    And who knew you owned an HR hat in the collection of yours. This is clearly an area that very few are prepared to deal with, but I think you handled it very well, and would agree with you. Your solution is both creative and, hopefully, effective. However you might only be seeing the tip of the iceberg with this incident.

    Curiosity is part of human nature and a temptation that is hard to resist. I think we can all say that we have looked at a piece of information that may have been left on a desk, an open document on someone’s computer screen, or as you have previously noted in a posting here, overheard a private conversation.

    As a consultant I often see/hear a lot of confidential information or questionable material. As a duty to my clients it is an obligation to keep it to myself. There is only one instance where I would breach this, and that would be if some individual or company had clearly violated the law.

    Your scenario only enforces the need for all companies to have a clearly defined policy on acceptable computer use. You also have to have managements full commitment to enforce the policy. When it is spelled out in black and white the policy can be an effective deterrent to “bad behavior”. The end user also needs to know how infractions of the policy are detected and what the consequences are.

    It still amazes me that end users think their actions on the network are anonymous. I often joke with clients that “Big Brother” is watching them, but the truth is that with very little in the way of forensic applications a good Systems Administrator can track an individuals Internet usage, email history, and access to network resources.

    I hope that for Judy, Bobby, and yourself, this is an isolated incident, and an honest mistake.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: