Last year Goldcorp, a Canadian mining company with approximately 15,000 employees, became suddenly aware that its internal network had been compromised. The perpetrators had successfully obtained 15 gigabytes of corporate data including tax returns, personal information, financial and operational data, and even copies of expired passports belonging to some of the directors.
Part of this data had been publicly leaked online in an apparent attempt at extortion. The RCMP were contacted and are investigating. Goldcorp reacted quickly with its own security team; however, by then much of its corporate laundry had already been hung out for all to see.
Less than a year earlier, Detour Gold Corp. had the displeasure of a similar experience. Accessing and exposing business data is a profitable endeavour and, according to the Global Risk Institute, it’s one that has grown 38% since 2014, impacting $1 trillion. Considering the heightened risks and sensational consequences due in part to these actions being committed by international criminals and state-sponsored agents, businesses often overlook the risk potential that exists within their own backyard. Understanding security and risk involves looking at the entire organization.
THIS MIGHT ALSO INTEREST YOU: Google and Facebook confess to being victims of a $100 million corporate scam
When good employees go bad
Consider that the many technologies designed to keep external intruders out also permit the authorized users to operate daily based only upon trust to do the right things. This intersection of individual staff access, working business data, and business technology can become an equally potent risk to any shadowy hacker from far away. It’s important to also identify these risks and take necessary precautions that anticipate the actions that may occur when good employees go bad. Business technology can be used to increase productivity, but also can be used to wipe tracks clean. Internal process and technical controls can also serve to rapidly identify when data exfiltration is occurring.
Mitigate your business’ security risks
Maintaining an organizational security posture that includes people, processes and technology is key to making sure your organization is at reduced risk of having a really bad day. Every organization should seriously consider preparing an enterprise-wide security plan that establishes structure, policy, training, incident response and regular reviews. Knowing just where to start can seem daunting, but, like any other IT-related process, security can follow a lifecycle model.
The Security Lifecycle is an ongoing process of defining, refining, verifying and prioritizing security policy. The lifecycle defines practices, controls and tasks that aim to secure business data and ensure business continuity. The beginning of this process starts with the definition of security policies, which should generally include both high-level and detailed information, depending on the size and complexity of the organization. The method of policy development can vary, but should involve identifying some important known risks and key information assets to protect as part of the first pass through the lifecycle. For each risk or security priority, there should be a defined set of security controls mapped.
Source: Business Vancouver