It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization’s sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and that there is no negative consequence for not properly safeguarding information and systems, it becomes easy for personnel to not follow policies when it is inconvenient or time-consuming to do so. It is also easier for personnel to do bad things as vendettas when they get upset.
Enforcing your organization’s sanctions motivates most personnel to follow policies. Another strong motivation that will work for most personnel, and likely some that do not fall under the previous motivation, is knowing that they could face jail time and monetary penalties for doing bad things to/with the information and systems to which they’ve been entrusted. This motivation also transcends job termination for a large portion of the population. Most people don’t want to go to jail and/or pay huge fines even if they are really ticked off at a former employer and want to do bad things to them.
I’ve posted several times about personnel getting fines and jail time for doing bad things with the information and/or systems to which they were entrusted and authorized to access. Here is another example to put into your files and use within your training and awareness communications.
On January 9, 2008, the U.S. District Court for the Northern District of Georgia sentenced William Bryant to 5 months of prison; a $15,470 fine; 5 months home confinement; 2 years of supervised release; and 200 hours of community service for hacking into the computer and telecommunications system of his former employer, Cox Communications.
“According to United States Attorney Nahmias and the information presented in court: BRYANT is a former employee of Cox Communications, which operates a computer and telecommunications network throughout the United States. After being asked to resign his position with Cox, BRYANT remotely shut down portions of the company’s system, resulting in the loss of computer and telecommunications services, including access to 9-1-1 emergency services, for Cox customers in Texas, Las Vegas, New Orleans, and Baton Rouge. Cox technicians restored service within hours.”
Bryant committed the crime on May 6, 2005.
Not only did Bryant disrupt business for Cox and services for Cox customers, he literally put millions of people at physical health and safety risk by shutting down the 911 system.
It would be interesting to know if Cox had effectively removed all of Bryant’s access to the systems following his termination, or if he exploited vulnerabilities in the system that he knew about.
Tags: awareness and training, Cox Communications, Information Security, IT compliance, jail time, policies and procedures, privacy, privacy policy, risk management, sanction, security awareness, security training, William Bryant