What to do?
Recently I was asked by someone we will call Judy “What to do” about a particular situation. I am usually pretty quick with accessing the situation and giving an answer, but this was different. If a few details were missing my answer would be easy. With that said, I am going to post the details here and I’m interested in hearing what you would do.
Judy works in the IT department doing help desk and junior level sys admin stuff. While working on Bobby’s machine Judy came across an email that Bobby NEVER should have sent. It contained very confidential employee data (salaries, bonuses, addresses, benefits, tax id numbers, etc.) as well as company performance numbers for the past couple years. Bobby sent this massive spreadsheet to a friend outside the organization and without any type of encryption. So not only is Bobby intentionally sharing confidential information with someone who should not have access to it, but he also is sending it across the internet in clear text.
If the details ended here my response would be that she needs to report this to Bobby’s superior and make sure they understand the risk brought forth by his actions (not to mention that it should be against policy). Ah, if life were so easy.
Turns out that Judy never should have been looking through Bobby’s email. The problem Judy was working on did not require her to browse through Bobby’s sent items let alone read messages. To compound things, Bobby is the guy Judy would report this to if it were any other employee. Judy just found something bad that her boss has done, but she shouldn’t know that he did it.
My first question was whether or not Bobby was being malicious, was he sending this information to someone who stands to gain from receiving it. Judy didn’t seem to think so as it was sent to a close friend of Bobby’s that holds a similar position at another company. Next question was whether this was a one time thing or is Bobby constantly sending confidential data offsite? Judy didn’t know and didn’t want to find out.
Looking at this, I’m not 100% sure what she should do. Judy likes her job, so the idea of calling her boss on this isn’t too appealing. She could go directly to her boss and let him know that this shouldn’t happen, but then the question of how she knew comes into play. She could go above her boss, but the same question will remain. Reading other users email without authority will probably get her fired or at the very least she’ll lose all trust within the organization.
So what advice did I give her? I told her to put together a plan to implement a network audit for “sensitive numbers” and other confidential information to see where it lives. My thought is that if she can pitch this plan and get approval to perform an audit it will give her better incite into where those sensitive files are, but also gives her a legit reason to find the email that started this whole thing. I also advised that she avoid reading other users mail!
What advice would you give?
Filed under: Security | 3 Comments
Tags: breach, company secrets, confidential information, ethics, situation