A few years ago you may have been reading about the economic collapse with passing interest. At the time it was an issue with the financial institutions that were passing out high-risk loans. Then it was the credit agencies, then the homeowners, and eventually everyone. For many, it didn’t really hit home until your home, job, or salary were lost. It just seemed so far away and we didn’t see the train headed straight for us.
Now another train is coming and I’m telling you right now, it’s headed in your direction. WikiLeaks has brought new meaning to the concept of “insider threat” by providing a convenient vehicle to empower staff to quickly and instantly hand over privileged information.
Whether you support or condemn Julian’s actions and the WikiLeaks phenomenon, the important thing is – you could be next. Given the volume of leaks WikiLeaks has on private companies, if you work for a Global 2000 corporation, there’s a good chance WikiLeaks has some dirt already.
So far the government’s approach has been characteristic of a militaristic response to a national security threat; Hunt down the leader, cut off resources and supplies, go after funding and other supporters. This is also the knee-jerk human nature response to a breach – to go after the individuals thought to be held responsible for the breach.
The problem is, there will always be more soldiers or staff who will leak information; there will always be more website hosts, more bank accounts, more financial supporters and more Julian’s. I suspect, even if Julian was captured and the website shut down, Julian has set a precedence that will inspire another to take his place.
The existence of hackers is a conditional taken for granted, part of the harsh world we live in. Now the existence of online portals that make it easy for insiders to share privileged information is as well. So for those of us, who aren’t involved in trying to put the WikiLeaks founder behind bars, how do we protect our data from being leaked by those who have legitimate access?
Unfortunately, you can’t ever completely eliminate the chance that someone will leak documents to WikiLeaks. In order for any organisation to function, they will need individuals to be able to access information and there will always be a chance that any given individual will decide to make that information available to more people than they should.
All we can do is drastically reduce the odds. Even while the government tries to stop WikiLeaks, they offer WikiLeaks a greenfield of opportunity with excessive internal access. The more people with access to any particular piece of information, the more likely that data is to reach the public eye.
‘Least Privilege’ is the best practice of cutting excessive access rights by giving staff only the privileges they need to do their jobs and not an inch more (or less). The lack of granularity in policy here often provides staff access to several-fold the amount of data they really need. Say you reduce the average employee’s access rights by 80%. Theoretically you’ve reduced the volume of information being leaked to WikiLeaks by an approximately equal portion, because employees can only leak the amount of information they have access to.
Only the companies that perform the worst at protecting their secrets will gain the spotlight of the next MegaLeak, because the site only does major leaks on companies where they’ve compiled enough sources and information. An 80% reduction in information leaked to WikiLeaks is really almost a guarantee, since a major leak won’t occur on the basis of scraps of information.
What the IT security team will need to work out is how to make drastic cuts in access to prevent leaks to WikiLeaks, without blocking employees from the information they need to be productive and that will require implementing more detailed policies.
When I was at VMWorld conducting a short informal survey, participants were overwhelmingly aware of the responsibility they carried and the tremendous value of the data they had access to. IT staff boasted that the data they presided over was worth plenty more than $20 million, but what I didn’t hear is “but I would get busted for sure.” In fact many felt it would be relatively easy to get away with it.
Having accountability after-the-fact isn’t an option. Employees need to know in-advance that they carry a great burden, that violating the burden will result in discharge, and that they WILL be caught. This entails having logins, monitoring, approvals and other processes that makes it really clear who has access to what, when. After-the-fact forensics are fine, but staff need to feel the accountability before-hand and know they won’t get away with it before the attempt is even made.
Obviously WikiLeaks sources are shrouded in mystery and often one major unveiled leak is the combination of hundreds of smaller leaks about the same organisation or event. The only thing we know about how the leaks occur, is that someone goes to WikiLeaks.org and submits materials. Even WikiLeaks doesn’t keep records of where the submissions come from.
On that note, it’s reasonable to suspect that not all the leaks come directly from employees. Malware developers and hackers who are after profit often get confidential data they don’t have any use for and WikiLeaks has made it very easy and convenient for any party to contribute to expose company secrets. In addition to the insider threat, we all need to take a long critical look at how we protect our data from outsiders – even friends and family of staff – to keep our company secrets, secret.