Beyond Ashley Madison: What’s a CSO to Do?
Authors: Joe Labrozzi and Michael Gaul
Imagine waking up to news reporting the credit card data of 37 million people has been hacked. And then learning that among the hacked are employees of your company who used their corporate email accounts to sign up for a service that connected people for the purpose of having an illicit affair.
What goes through your mind?
Do you ask, how can people be so stupid? Or do you ask other more salient questions such as:
- Is this a violation of company policy?
- Does this put our company’s brand at risk?
- Does this jeopardize our client relationships?
- Are these employees blackmail targets?
- Is there now an increased risk of workplace violence?
- Does this trigger our crisis management plan?
Clearly, the answers to just this small set of questions could have great impact on an organization in the wake of the Ashley Madison flap, but many of the answers make sense from a broader enterprise risk and anti-fraud perspective. People are messy things. They can and do suffer major lapses in judgment and involve themselves in questionable actions.
Employee compromise continues to be a real threat to business. The potential for desperate people to commit desperate acts exists regardless of the latest headline.
Forward-thinking security, risk, and HR practitioners should work together to lay the foundation by which an organization can protect itself from the likelihood of these damaging acts.
Protecting Against the Lapse of Good Judgment
So, what’s a CSO to do? Here are some key recommendations:
1. Do have a written policy detailing the use of all company equipment, accounts, and internet usage. This policy should define with specificity what is unacceptable to include expressly forbidding the use of corporate email for personal matters. Additionally, this policy should cover other employee acts that could cause damage to brand or corporate reputation.
2. Do have a corporate ethics code that is easy to understand, meaningful, comprehensive, and most importantly, enforceable.
3. Do have a documented crisis management plan as part of your larger business continuity plan that specifically addresses information and IT security in the event of compromise or breach, investigation and mitigation processes, and how to communicate to your employee and customer constituencies in the event of a breach.
4. Do consider the use of content filtering on your network, VPN, and individual workstations to monitor and discourage the use of the internet for untoward purpose. Install monitoring systems to detect large data transmissions and lock down the ability to write data to USB or CD media to only those whose roles require this function.
5. Do look for warning signs of fraud. Changes in behavior are often a prelude to the act of desperation you are trying to avoid.
6. Do consider a security and fraud whistleblower program. Employee misbehavior or fraud is often noticed by a colleague of the perpetrator. In fact, over 40% of the initial detection of a fraud is through a tip, most often from a fellow employee. Having an established reporting mechanism can ease the whistleblower’s fear of retaliation and ensure their anonymity.
7. Do conduct periodic security audits of computers, company cell phones, and internet use, specifically social media sites.
People will misbehave. And while these misbehaviors won’t always end up in the headlines, they can be damaging nonetheless. Use the lessons learned by those impacted in the wake of the Ashley Madison breach to protect your people, brand, reputation, and resulting profits from the nightmare of these types of situations.
Have questions about the strength of your cybersecurity or fraud prevention programs? Talk to a risk management expert.