It’s few and far between that I’ve seen an employee of a company purposefully put the organization at risk while doing their job. Most of what I’ve seen in regards to employees putting an organization at risk stems from the employee not being happy and in these cases they’re not really doing their job. However, I have seen quite a number of employees using non-approved solutions in their day-to-day work. Why? I think there are several reasons why they do this, but I don’t think any of them are to put company at risk. How do I know this?
My early days as an instructor
When I started out as a Cisco instructor I worked for a learning partner that no longer exists. That learning partner used Exchange for email. The server was spotty and you could not check email on the go unless you used their Microsoft VPN. I hated it. It didn’t fit any of my workflows. In other words, it caused more friction than I cared to put up with. In response to this I registered a domain that looked similar to the company’s domain and setup google apps, now called G-Suite, for the domain. I then started forwarding my work emails to address that I setup on that domain. For months nobody even noticed. I would reply to them from my G-Suite address and they just went with it. Eventually most people were sending emails directly to my “side” email.
After becoming the CTO I migrated the company off our rusty exchange server and over to G-Suite, but I couldn’t help but think that I would have reamed someone if they would have done what I did. It was not the smartest thing to do and I see that in hind sight, but I wasn’t trying to cause any issues or leak any confidential data. I was trying to get my job done. I think that’s an important realization that management needs to make. If you make a persons work-life difficult they will find another way and it may not be the way you want.
Plugging the holes
There was a commercial I was watching a few days ago for FlexTAPE. It’s amazing if you haven’t looked at it yet. In one part of the video there is a swimming pool with a huge hole in the side and the guy slaps a piece of FlexTAPE over the hole from inside the pool and the water stops flowing of course. I think that IT organizations try to slap some FlexTAPE on the holes when they find them but often times so much water has escaped at that point that it really impacts the business. Organizations should be looking for the slow leaks so they can be repaired early on. Once people learned how I was handling my email they started asking me to setup email addresses for them so they could do the same. First one colleague, then another. Eventually several of us instructors had an “alternate” email address that we were using regularly. The size of the hole got pretty big.
At some point management realized that they couldn’t pedal backwards on the issue and they had to update how they did things. But I often wonder how much confidential information could have been leaked once I was no longer the only one using the new email domain. Fortunately those who were using the new email domain didn’t really have access to any confidential information but there was quite a bit of course content that could have been exfiltrated. That would have been bad but in my particular organization I don’t know if anyone would have known.
Coming full circle
Today I own my own business and I deal with several external clients. When I have employees I try to be flexible because I understand the problem with friction. I also understand that friction may not be the only reason one turns to a non-approved solution to get their work done. For core business operations an organization would also benefit from defining approved software packages. Should an employee use services like Dropbox, iCloud, Google Drive or Box.com? If they do, what controls are in place? How does the solution in place impact their job role? Do employees have a means of expressing their frustrations without fear of reprimand? Having an open line of communication with an employee can help them feel like their role is important and can help management to really understand the issues they face. If you neglect that you’re going to find employees choosing their own solutions to get work done, and possibly, inadvertently causing a security issue.
We don’t want that now, do we?
Source: solarwinds GEEK SPEAK