“Locks keep out only the honest” – Jewish Proverb
As a follow-up to my post on external information disclosure, I’ve put together my top 6 ideas for what you can do to reduce the risk of internal data theft and/or disclosure. This is a tricky topic because how you approach your team about information security may affect their pereception of how you trust them. It will also make their jobs more difficult and less efficient, which is always the tradeoff when securing a system.
The key is striving for a balanced, optimized approach, and iterating until you find a model that works for you. There is no silver bullet or perfect set of locks, so you have to be vigilant and flexible in your approach.
Here are my top 6:
1. Minimum Accesss / Need to Know
Make sure that you have a granular system for granting access to customer data, private data, or trade secrets. I’m not saying you should become the NSA or CIA, but you should think about how data could be misused and categorize it appropriately. You could also divide responsibilities so people don’t have accesss to complete information when appropriate.
One key piece of advice I can give is to have a robust & secure tool for scrubbing your production data into your test environments. This is really important for ensuring quality without compromising customer data, and is relatively easy to implement. Your devs will love you.
Another thing to consider is revoking priveleges from time to time, or only granting access for a defined period. Sometimes you get granted access for a specific project and when it ends you still have root to a server.
2. Understand The Rules
Make sure your team understands your policies for handling customer data. Make sure the consequences are clear – both to the employee, and to the company. Understand the specific laws for the countries you operate in, and any industry standards or certifications you should have. In some cases you might be able to partner or outsource certain processes to more cost effectively remain in compliance.
3. Optimize Your Password Policy
It’s important to find the right balance so this doesn’t blow up in your face. If you make your password policy too loose, you will have easy to crack passwords. On the other hand, if the policy is too strict (too many special characters, too long, have to change too frequently), people will get frustrated and will write their passwords down.
A good rule of thumb is that people can easily remember 7 characters and they won’t want to change more than 4-6 times per year. If you include 1 special character and ask people not to use dictionary words, you will be most of the way there.
4. Don’t Store it All in One Place
This is the “don’t put all your eggs in one basket” rule. Think about how you can segment data to manage the risk of a large scale disclosure. For example, if you store credit card numbers, perhaps they go in a different database (with different permissions) than the CVV codes & expiration dates. Disclosing it is still bad, but not as bad as disclosing all of it together.
Another thing you can do is segment your customer data into multiple databases so if one is compromised you won’t lose it all. This is also good for scalability.
5. Watch for Disclosure
Make sure you monitor your systems not just for external threats but also for internal folks accessing things they shouldn’t. Consider creating internal honeypots to see if there’s anyone you need to watch more closely. I’m not advocating for Big Brother type of monitoring and if you seperate your data, follow the need-to-know rules, etc., the less internal monitoring you’ll need.
6. The Buddy System
This is a simple yet effective way to maintain the integrity of your systems. When you’re accessing sensitive data, you have another person (not your supervisor, not your employee) buddy up with you and watch what you’re doing. This is a common cash-handling procedure, and it works for customer data handling as well.
A Word of Caution
In conclusion, there are a few simple things you can do to make your information more secure. You’re probably doing some of them, but it’s a good idea to check in on them from time to time. Getting a third party to take a look can also be a smart move.
I will say that it’s important to communicate any policies or audits in the context of making the team better and helping customers, not trying to incrimate employees, show a lack of trust, or get in their way of doing their job. If you can show that you trust your team, it’ll boost morale and hopefully avoid creating an incentive for a disgruntled employee to hurt the company.
How do you enforce internal security while maintaining trust with your team?