ANÁLISIS DE RIESGO

Even employees who have been thoroughly screened and have proven their trustworthi- ness can expose an organization’s sensitive data to loss or theft. Organizations and the employees themselves can take the basic precautions described below to mitigate these risks.

A. Safeguarding electronic data

1. Access control lists: Restricting access

to information, particularly sensitive customer, employee, and business information, on a need-to-know basis is a fundamental principle of information security. Employees in the accounts payable department, for example, should be barred from accessing human resources information. In addition, access to information by employees with a need to know should be limited to the minimum necessary to perform their job responsibilities. Organizations should implement a process for establishing the access rights of new hires based on their job responsibilities, for modifying access rights when job responsibilities change, and for promptly terminating access rights when the employment relationship ends.

■ Pre-employment screening and post-hire

risk alerts

Effective background screening can eliminate the insider threat before it ever occurs by identifying job applicants who pose a threat to the employer’s information assets. Employees responsible for evaluating back- ground reports should be looking not only for prior convictions for identity theft but also for other crimes involving dishonesty, such as fraud and forgery, which indicate an applicant’s propensity to misuse informa- tion. Employers that rely on staffi ng compa- nies should consider not hiring temporary workers for positions involving access to sensitive employee, customer, or business data, such as positions in the human resourc- es or R&D departments or those responsible for processing credit card payments. If such hiring is imperative, the employer should impose on the staffi ng company, by contract, background check criteria for temporary placements that are at least as stringent as the employer’s own background check criteria.

Employers should beware that pre- employment screening can itself expose an employer to signifi cant risks. In the past few years, the plaintiffs’ class action bar has aggressively pursued employers for alleged violations of the federal Fair Credit Reporting Act (FCRA), which regulates the procure- ment of background checks from third-party consumer reporting agencies. As of mid- 2015, nearly 20 jurisdictions—states, coun- ties, and municipalities—have enacted “ban- the-box” legislation to restrict private employers’ inquiries into criminal history. At the same time, the U.S. Equal Employment Opportunity Commission (EEOC) has fi led several lawsuits against large employers, alleging that their pre-employment screen- ing practices have a disparate impact on African American and Hispanic job appli- cants. Consequently, organizations should carefully review their pre-employment screening practices for compliance with the many federal, state, and local laws aimed at helping ex-offenders secure employment.

Employers also should consider whether a one-time, pre-employment background

COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES

password protection, automatic log- out after a short period of inactivity, automatic log-out after a small number of unsuccessful log-in attempts, and remote wipe capability. In addition, employees should be routinely reminded of the need to physically safeguard their mobile device, for example, by not sharing the device with others and by securing the device (for example, in a hotel safe) when the device is left unattended. In addition, employees should be instructed to immediately report the loss or theft of the device to a person or group designated to respond to such reports.

5. Remote work security: Corporate spies

can tap into unsecured WiFi connections to steal sensitive data. To reduce this risk, employees should be required to use a secure/encrypted connection, such as a virtual private network (VPN), to access the corporate network when working remotely. In addition, employees should generally be required to use that secure remote connection to conduct business involving sensitive data rather than storing the sensitive data on a portable storage medium, such as a thumb drive or a laptop’s hard drive. Where local storage is a business imperative (e.g., when work must get done during a long fl ight), employees should be required to use an encrypted portable storage medium to store sensitive data.

6. No storage in personal online

accounts: Once an organization’s

sensitive data move to an employee’s personal email or cloud storage account, the organization effectively loses control of the information. Absent the employee’s prior written authorization, the email or cloud service provider generally cannot lawfully disclose the organization’s data to the organization. At the same time, employees often will hesitate to sign such an authorization out of concern that the employer will gain

2. Protecting log-in credentials:

Employees should be regularly reminded of the importance of protecting their log-in credentials. They should be instructed not to share their log-in credentials with anyone. Hackers may pose as IT professionals on the phone or send phishing emails purporting to originate with the employer’s IT Department, to trick (“social engineer”) employees into revealing log-in credentials. Employees also should be instructed not to write down their log-in credentials and to immediately change their log- in credentials when they suspect the credentials have been compromised. Finally, each employee should be required to acknowledge that only he or she is the authorized person to access and view the organization’s information through his or her log-in credentials and is personally responsible for all activity using those log-in credentials.

3. Screen security: Employees can reveal

sensitive data to “shoulder surfers” in airplanes, at coffee shops, and even at work by failing to adequately protect their computer monitor or screen. Employees should be reminded to position their monitor or screen to reduce the risk of viewing by unauthorized individuals. In locations, such as airplanes, where that may not be possible, employees should use a privacy screen to prevent unauthorized viewing. Regardless of location, employees should activate a password-protected screen saver when they leave their screen unattended.

4. Mobile device security: One of the

most common causes of security breaches is the exposure of sensitive data through the loss or theft of employees’ mobile devices. To reduce this risk, organizations should push security controls to all mobile devices— whether employer-issued or personally owned—that are used for work. These controls should include encryption,

secure remote connection. When there is a business need, employees should be required to keep the paper documents with them at all times or to secure the documents when unattended, just as employees should do with a mobile device.

4. Require secure disposal of paper

documents: Pharmacies and other

health care providers around the country have been the subject of scathing publicity and government investigations after journalists- cum-dumpster-divers discovered unshredded patient records discarded in bulk behind the facility. Whether working from the offi ce or from home, employees should be required to shred paper documents containing sensitive data or to discard them in secure disposal bins.

5. Private conversations are meant for

private places: In today’s world of

mobile telephony, employees often can end up discussing sensitive information while walking down the street, riding in public transportation, or sitting in a crowded restaurant. Even when working at the corporate offi ce or the home offi ce, employees must be aware that they are not discussing sensitive data over the phone where unauthorized individuals can overhear them.