Here is another example of what a worker, entrusted with access to business files, can do…and also provides a lesson about business continuity…
I just watched a CNN clip, “Cyber Sabotage” that provides a very good example of how costly the insider threat can be.
Marie Cooley, an employee at the Jacksonville, FL, small business Steven E. Hutchins Architects, read the paper one Sunday morning, and saw what she thought was a help wanted ad for HER job.
So, she went to her office that night and deleted, using her authorized access, 7 years worth of the architect firm’s files.
Steven E. Hutchins Architects valued the files at $2.5 million.
Guess what? The business did not have backups!!!
The business was able to get the files back, though, using forensics methods.
And then…here’s the kicker…come to find out the owner was NOT planning to fire Cooley; the job she had read about was for Hutchin’s wife’s business.
For doing this 2nd degree felony Cooley could get 5 years in prison.
Just a couple of lessons learned:
* The insider threat is very real, in businesses of all sizes. There are unlimited motivations for workers doing bad things with their authorization. As this case shows, even a perceived, but not real, threat to a worker’s job can trigger her to try and take down the business with her.
* Make backups of business files regularly! Store the backups in a SECURE offsite location (this is not an employee’s basement or car trunk). Businesses of all sizes MUST make regular backups. This example demonstrates how costly not having backups can be. It’s a good thing that Cooley didn’t do more than just a simple delete of the files…if she had known more about how to permanently delete the files the architect would have lost the files for good.
Small and medium businesses (SMBs) often neglect making regular backups, or providing training to employees to prevent them from doing bad things in the name of saving time and money. However, not addressing security could ultimatey put them out of business.
Tags: awareness and training, backups, business continuity, CNN, disaster recovery, Information Security, insider threat, IT compliance, Marie Cooley, policies and procedures, privacy, privacy policy, risk management, security awareness, security training, SMBs, Steven E. Hutchins Architects