The Truth/Trust Lifecycle — Data Breaches by Danny Boice
Danny Boice here again. Today we are going to talk about Data Breaches in the workplace.
Data breaches happen to everyone, and they happen to companies too. The type of data that is stolen all depends on the motive. If the motivation is to make money, then identifying information about lots of people is worth a lot of money on the black market or the dark web market.
Here’s how the dark web market works. A simple credit card transaction online, with information stored in an insecure way, can lead to a breach of your personal information. The website that stored the information may not even know anything happened, but the hacker has downloaded all of their customers’ credit card numbers. Now, somewhere on the dark web, they’ve posted all this information for sale. A lot of people all over the world buy the information and use the credit card until they can’t use it anymore. Once they can’t use one, they’ll go buy a new one. It’s all about quantity over quality. Some people will buy a list of them and churn through them all.
Knowing You’ve Been Breached
Some small businesses have a hard time knowing when they’ve been breached. That said, even a sophisticated enterprise like Target.com can fall prey to data breaches. They, too, have been hacked. The only difference is that in their case, they knew about the issue quickly because it is the job of hundreds of people to monitor their website for issues.
If you are a smaller e-commerce website, still hosting everything yourself, you have to be aware of these issues since you probably don’t have a team of people dedicated to data breaches. First of all, hosting should become a primary concern. It is not a good idea to use a $10 per month hosting account. You also need to understand how to safely secure information and monitor for abnormal activity.
There are a few x-factors when it comes to personally identifying information (PII). This refers to anything that could be useful in identity theft, like credit card information. PII is a treasure chest for hackers who are doing what they do for profit.
This seems to be missing supporting statements.
Disgruntled Employees
When a disgruntled employee steals data, it can be difficult to recover. They may have taken customer data, financial data, or other important data you didn’t want getting out. Rarely are data breaches at the hands of some ominous Russian or Chinese hacker. More often, employees steal the information in a very low-tech sort of way, saving it to their Dropbox or thumb drive. They may then dump it somewhere on the web, and all the sudden it starts showing up in Google searches. If your company is visible enough, the leaked information may get to the news, as was the case with Ashley Madison. If you’re a celebrity or someone who is well known in any way, it’s a guarantee that the information will be shared.
The reason you will have difficulty recovering is that a data breach goes beyond your customer information being stolen; it hurts your brand. There’s no insurance for that. There’s nothing you can do to simply bounce back. It’s not as if your customers can just go get new credit cards and all is forgiven — no harm, no foul. If you break your customers’ trust, especially if the information getting out there is very personal, you might go out of business. In the best-case scenario, you can slowly build back trust, but it will take a lot of time.
In some cases, employees do not simply want to take revenge; they actually know the information is valuable and want to sell it. Either way, it’s the same result for the company and the customers. It’s widely believed that the information dumped on the web from Ashley Madison was due to a disgruntled employee. We had thousands of cases come out of that single event. People’s messages were hacked. Their credit card information was hacked. Their transaction information was hacked. Their IP addresses were hacked. Every detail you can imagine was dumped on the web.
In that case, the information was mostly of married people having an affair. However, this data breach was also damaging to people who never even used the website. Because Ashley Madison never validated email addresses for accounts, people would sign up with other people’s email addresses. We saw emails for President Obama over a dozen times. We saw emails for Tony Blair. In some cases, the person using the site was pranking people they knew.
It’s easy to see how data breaches quickly become a very messy business. It becomes hard to determine whose information is whose. You can usually go through all the transactions and IP addresses and messages and piece things together for a case, but sometimes this is difficult to do. In the case of Ashley Madison, this had major ramifications for people. Yes, it revealed plenty of people who were actually cheating and claiming they weren’t. Celebrities or quasi-celebrities were found out. The most notable example was Josh Duggar, an ultra-conservative Christian. He was married and super old school in his ideas of roles in the home. Meanwhile, he was having an affair via AshleyMadison.com. But some marriages almost fell apart when a spouse wasn’t actually using the site.
We were able to come in and help verify this in several cases. In one case, a man’s email address was used. When his wife checked to see if there was a match on him, there was. She didn’t know that it was very easy to get a false positive, so she kicked him out of the house and told him he couldn’t see their kids. He came to us when he was literally homeless, living out of his car in a bad part of town. We did a bunch of work pro bono for him because it was a really sad story. We could tell there was something going on. Sure enough, we found out he hadn’t used the site. The IP addresses that used his information were in Ukraine. His identity had clearly been stolen. We were able to go one step further for him and find other places on the dark web where his information had been posted for sale. We were able to create a whole case for him that saved his marriage. The last we heard, he was back in the house reconciling with his wife.
Protecting Your Data
You might be feeling that no matter what you do or how much money you spend on protecting your network, a ticked off employee could simply circumvent the system by being on the inside. However, you actually have more power than you might realize in protecting your data.
Most people have a false sense of security when they’re using the internet. Personally, I actually assume that anything I write — whether by text message, email, chat, or otherwise — is being backup up and replicated in multiple places throughout the internet. Of course, it’s great to know your information is being backed up if you’re fearful of losing it, but it’s not great if that means a hacker can access it. I just assume the worst, that everything could potentially be seen, and I act accordingly.
As an employer, you can use this false sense of security if you need to check on an employee. It’s funny how employees don’t really consider the information that can be shared online. I remember when one employee was saying too much on Slack. She was messaging coworkers about how she was abusing Ritalin or Adderall at work. She was writing, “I’m not doing any work today. I hope Danny and Jen don’t notice.” She didn’t ever stop to think that we might be backing that stuff up. Once we saw there were issues, we looked into it.
Another disgruntled employee had been taking screenshots of our internal messaging platforms. This employee was about to get her review, and we suspect she thought she might get fired. We caught her red-handed, downloading screenshots of customer information and investigatory cases to her personal Dropbox account. She was doing this on our work computer, and we seized it when her download was literally mid-transfer. It doesn’t get more red-handed than that.
Valuing face-to-face communication can also help protect your data. We’re relying too much on chat and email for every single thing. Of course, there are many reasons to interact in person from a psychological and relational perspective, but it’s also important for security. Face-to-face communication is likely the safest way to communicate. Yes, you’ll need to do a little extra work of taking notes or bringing someone along to have a third party present if you’re worried about needing documentation, but the extra work is worth it.
Whenever a new technology emerges, everybody wants to use it for everything. It becomes a tool that is used even when it’s the wrong tool. So today, everybody is using long-form emails or text to communicate something that would be much better communicated over the phone or face-to-face. As we reflect on what we’re doing and the pendulum starts to swing back, we’ll admit that some things should not be done purely electronically. Sensitive communications, for example, should always be handled in person. In the worst-case scenario, they should be done over the phone.
The face-to-face conversation also allows you to spot particular identifiers that might reveal an employee is disgruntled. You can learn to be more aware or teach supervisors to be more aware of what employees are talking about. You can have “ears on the ground,” so to speak, so that you can quickly know when someone is unhappy. A good supervisor should be able to recognize when an employee is not performing as well as they have in the past or when the employee is having unnatural swings. Of course, you don’t want your supervisors to be paranoid, but it never hurts to be more aware of the status of each employee.
Some changes in employees are less obvious. Sometimes, you have to be more observant to be able to see when an employee is becoming unhappy about something outside of work or disgruntled about something inside of work. Interestingly, one of the most telling qualifiers for people who may be prone to dishonest activity is when their blind carbon copy (BCC) usage goes up in their emails. When somebody starts BCCing themselves or others, that’s an indicator that they are becoming unhappy and are going to leave or do something against the business.
If someone’s use of paid time off and vacation suddenly changes, that can also be a huge red flag. Oftentimes, that means they may be pursuing another job. Employee engagement studies have shown that when employees don’t feel they are getting what they deserve, they are less likely to do good work.
You might be surprised to know how few companies take time to monitor conversations and statuses of employees. For example, many companies today use Slack for internal messages, but they don’t know they need to turn on compliance reports to be able to have a record of what everybody has said. Things get more complicated with Google apps. You have to really know what you’re doing to be able to go in and pull people’s emails. It’s not as straightforward as you might think. In theory, you are legally allowed to do this, at least in most states. However, most companies aren’t pulling information in a way that is actually relevant. For example, if you don’t know that BCCing is an indicator, you would never know to pull that information.
It’s impossible to keep all of your employees happy all the time, but you can at least be prepared to protect yourself from losing data if one does become upset. A final simple way to do this is to put in place best practices for IT security. Understanding who has what access and to what level is a good starting point. Who has admin rights on what account? It’s too easy for small companies, who outsource a lot of this stuff to the Cloud, to never check this. Every company, no matter the size, needs to go back through and audit who has admin rights and access to internal information of any kind. By doing this, you might suddenly realize that there are thirty admins for every account. They all have access to everything.
Changes Over Time
At some point, you end up just hearing rumors. Especially in a small company, people hear things. The business is like an echo chamber. In a larger company, the HR team and supervisors will need to be a bit more proactive in being aware of what is said and how employees are feeling. In either case, you have to sometimes simply trust your gut. If someone is taking really long lunches, why not ask what is going on? We have a joke that if someone shows up in a suit, something is off. Even though it is a joke, this simple change can be an indicator that something is going on. Sure, the employee may just happen to want to dress up or have come from their daughter’s dress rehearsal, but more likely they just had an interview somewhere else.
Sometimes, indicators are much more hidden. Has there been a divorce? Has the employee been struggling with alcohol? Do they suddenly have a large amount of debt? As mentioned before, when the government hires for jobs, these are the kinds of questions they ask. They might even look for things you are hiding about your sexuality — not because of your sexuality itself but because the hiding is an indicator of someone who is able to lie. They’re also looking at this information because they’re thinking about anything a foreign government could use against you as blackmail. It’s not about a moral opinion; it’s very pragmatic. If there’s something you’re hiding, even if it’s your love of green jellybeans, they’ll take notice.
In that stream of thought, you have to consider as a business how your employees are changing over time, after hire and into their time with you. Employees don’t just become disgruntled for no reason. Sometimes, it stems from a life change, like picking up a gambling habit. Sometimes, it stems from their feeling that they are being treated unfairly or not being paid enough. In either case, this employee is much more likely to steal data.
When a current employee does something dishonest, almost always something has changed in his or her life. In a lot of cases, you can work with employees. You can talk through what is bothering them. The key is to be in ongoing conversation with employees so you’re not caught off guard when they just lose it. In many cases we have, the issue started long before the employee actually stole information. The problem is systematic and related to a lack of communication within the culture that has been set.
Large Scale Investigations
We sometimes investigate on behalf of companies to help them know where data leaks came from or why. Our work is obviously different than that of a cyber firm. Cyber firms will go in as engineers. They’ll go through all the server logs and do a lot of work that is highly technical on your network. In terms of technical work, we go a couple levels deep, but we are not hardcore hackers. In some cases, you will need the cyber-firm to come in and assist. However, in most cases, we can get to the root of the problem and identify specific issues with employees without that deep dive.
We have effectively helped many large companies when they have spotted stolen data showing up on the web. We have former police detectives who are great at conducting interviews, following the trail, and putting a case together. That’s what they’ve done for their whole careers. Our work gives companies peace of mind to know the investigation is being performed fairly. This accomplishes many things, including reducing their liability.
In some cases, former employees are not just out to enact revenge. Instead, they want to use what they have gained at a company for their own benefit. We’ll consider that situation in the next chapter.
