Do I need to keep data from employees

    It is commonplace to write that company data and customer base are an asset of any business in the 21st century. But they still don't care about this asset: even a sales manager can easily take away part of the base and sell it profitably, optionally with him. Security in the corporate sphere is limping on both legs, and it would be possible to blame everything on Russian maybe, but it wasn’t there - this is happening all over the world, from Moscow to Sydney. Employees and insiders take revenge, earn on other people's data, simply harm the company for their own reasons. Of course, not all and not always, but the frequency of events makes us dwell on the problem and outline a plan B. Source


    Unfortunately, we can’t talk about the many security problems that our clients have encountered over the past almost 17 years - this information refers to the NDA, and the possibility of breach of obligations is not even discussed. Our RegionSoft Developer Studio team decided to go the other way: we analyzed numerous sources and studies, summarized our experience without the names of specific companies, processed the information and put it into a post. Because trends, incidents, trends and directions of threats are the basis on which we all need to learn. In the end, the smart learns from the mistakes of others.

    Corporate rat face

    How much is your data? “I’m an IP who needs my data!”, “Yes, we have only 2,000 customers in our database, what value!”, “Yes, who needs all this, stop it,” are fairly common answers to this question. And let's count on the example of 2000 customers of a company selling office supplies for offices. Costs are minimal and rude: 4 sales managers - 50,000 each, online advertising - 20,000 per month (even if customers were brought in for a year), booklets - everyone once received 1 booklet with a cost of 120 rubles. So, the company spent 1,440 each on attracting 1 client, that is 2,880,000 rubles. Almost three million was invested only in attraction, and there is both service and retention. And then the company manager quit and carried the customer base to the competitors - after all, they were looking for a salesman with “business contacts”. It’s just that you got a ready-made warm base for your salary, which is enough to make a tiny discount or bonus to get loyalty. Who's guilty? Salesman? Sysadmin? No, the leader is guilty, who did not invest in protecting the most valuable asset of his business - the client base. (Or the second most important asset, because someone will say that the most valuable asset is people. Yes, of course it is, but not those who are willing to sell their boss if they offer an acceptable reward for this.)

    Now imagine what happens to large companies, because they are much more vulnerable due to fiercer competition, more professional employees and more “tidbits” of data. Companies of various sizes spend millions on external security and IT infrastructure protection, but at the same time lose sight of one of the most insidious threats - the danger of employees stealing internal and valuable commercial information.

    Data theft and corruption by corporate insiders is a big problem to be prepared for. Biscom found that 85% of employees are allowed to documents and information that they themselves created, 30% are allowed to data that they did not directly create. In startups, especially security-sensitive ideas and first valuable clients, the data indicate a large degree of connivance: 25% of employees have access to the source code and patent applications, 35% of employees have data on names, phone numbers and e-mail, 85% - have access and retain strategic documents and key business presentations. At the same time, 20% of employees openly stated that they are likely to take the data and pass it on to competitors in the event of negative circumstances of dismissal, while 90% said that the main reason for data theft during dismissal is the lack of information protection policies and technologies. In addition, almost any company has a system administrator (full-time or outsourced), which has full access to absolutely all corporate data. And as a peak of recklessness, you can consider maintaining a corporate base in the cloud, when almost no one has the ability to control the territorial distribution of users and the legality of access to data.

    Who are they?

    So who are these corporate data thieves? In principle, anyone: hackers, cybercriminals, competitors ... But, of course, insiders play a major role in stealing corporate information. In the comments to one of our articles there was a hot battle in which it was proved that system administrators are to blame for everything, which can do much harm. But there is one thing but: yes, the sysadmin can cause the most severe technical damage and work in the most sophisticated way, but here it will sell the data to competitors or even to the open market rather as a merchant. Just because he knows what and to whom to sell, which data is of interest to external agents, and which is an empty set of numbers. So in the end, the financial damage from the offended admin is not so great (especially if you had backups protected from all, made, for example, by another admin, an outsourced company,

    Insiders are not necessarily existing workers who came to work today at 9am. These are former employees, and relatives of existing ones, and partners, and employees of branches, and clients with access to information, and contractors, and suppliers, and consultants, and trainers. And it can be employees of absolutely any level - from a top manager to a junior specialist of those. support. In general, the one who indirectly or directly has access to the customer base, reports, financial information and personal data is your insider.
    Harold Thomas Martin stole six valuable documents and a computer code from the US National Security Agency (NSA). Martin worked for the consulting firm that accompanied and supported the NSA infrastructure, Booz Allen Hamilton. By the way, Edward Snowden once worked in it.
    The Verizon 2017 Data Breach Investigations Report provides interesting statistics on company offenses. The same report showed that in addition to super-cyber-hacker-intrusions and old unkind DDoS attacks, problems with passwords, suspicious attachments in letters, carelessness and physical theft have not disappeared. By the way, 61% of all recorded violations occurred in companies with up to 1,000 employees. Yes, this is logical - hacking or bribing someone from a small business is ten times easier than someone, for example, from a large retail. At the same time, the client base can be sold quite profitably.

    Verizon 2017 Data Breach Investigations Report

    Signs that should alert you

    There is a set of signs that most often indicate that something went wrong. As a rule, primary markers are completely invisible and understanding comes already after the fact, however, several typical patterns of behavior can be identified.

    • Mass export of customer and lead information in any form. This can be abnormal copying to external media, printouts, sending large volumes of letters and letters of large volumes, copying to cloud storage. Typically, this behavior can be found in the logs of the CRM system, as well as in the monitoring systems of the IT infrastructure.
    • The decline in labor activity. An employee who knows that he will soon leave the organization and will be able to immediately find work or money, relaxes before leaving, because he knows that all deadlines and reports for the current month will pass without him. As a rule, this is very noticeable both at the level of ordinary colleagues and to the head of the unit.
    • “Putting things in order” in a working PC and network folders - if an employee, who had not shown zeal in cyber cleaning before, suddenly starts to clean files, copy the work done by him, remove important documents and disable access to his shared folders, then most likely he getting ready to disappear from the company. Of course, with the documents that he considers to belong to him, and not to the company - because he worked on them so much (the fact that he received a salary for this work, he no longer remembers, because the memory is selective). This behavior is especially fatal in the event of the departure of a programmer, analyst or engineer.
    • Sudden, unusual and unmotivated processing and appearing at work on weekends. If an employee almost never worked during after-hours hours and suddenly began to linger or ask for access to the office for the weekend, it is worth looking at him anyway. Even if he does not have malicious intent regarding the data, he may be overloaded with work or working on several personal projects (which in the end can also lead to a “bad” dismissal, depending on company policy).

    Basic corporate security hygiene - Learn how to recognize danger at an early stage. At the same time, one does not need to think that small or medium-sized businesses are out of danger - such companies, due to many factors, from salary to legal, are especially prone to provocation from the inside.

    How can data “go”?

    Data does not always leak maliciously, but more often you have to think about the worst. Here are three main data paths outside the company's servers.

    1. By chance. Today, every employee in the workflow is faced with a dozen, if not more than one, of resources and sources: network storages, devices, clouds, corporate systems. It is impossible to track where which file has settled and remained. Such leaks are practically safe - data is either lost or ignored by a respectable former employee.
    2. False understanding of ownership - the employee thinks that everything he has done belongs to him. This is a very common proposition that is at the root of most problems. The employee firmly believes that all of his needs to be taken away with him, because this was done by his work. The fact that it was for this work that he was hired, and wages were accrued for this work, is usually forgotten.
    3. Malicious intent - an insider finds a way to harm companies and steal data for reasons of revenge, withdrawal from competitors, the desire to blackmail a leader, etc. As a rule, such actions always end in court. By the way, dear employers, remember - if you took a manager with data from a previous job, expect that he will substitute you in the same way.

    This is our director of information technology. For security reasons, it is encrypted.

    This happened, what to do first?

    So, the case smelled of kerosene, money and Corvalol. It's time to start taking action. So what to do if a leak occurs? The main thing is to be restrained, justified and as prompt as possible.

    1. Do not show and prepare a plan for how you will investigate the incident. Consult with lawyers or security officers (if you have any), find out what documents and how you need to receive and execute in order to initiate a lawsuit. Try to do everything so that information about the detection of an offense does not leak into the people - gossip instantly flies around the company, and the offender will have time to cover up tracks, disappear or even “return as it was and have nothing to do with it”.
    2. Determine the location of the leak, find out what information, in what volume and through which channels could be transmitted. Change the protection system, passwords, change the rights of accounts, make backups.
    3. Determine the purpose of the theft to minimize negative consequences. Find out who was the customer and accepted the information, build a chain of participants in the offense. If the data has not been transferred, start approaching the employee so that he does not have time to transfer it to the destination.
    4. Quickly collect all possible evidence: emails, browser history, conversation records, CRM system logs, ITSM system logs, records of employee actions on a PC. Do all this as discreetly as possible so that the employee does not suspect your intentions.
    5. If the information concerned external partners, suppliers and other interested parties, immediately notify them of an offense so that they, for their part, could also minimize risks, and maybe even help in the investigation (here’s how the chip goes - if the guys were in collusion, then and interfere).
    6. As soon as you understand that you have a bag of evidence and the necessary information has been collected, immediately cut off all access to the employee and call him on the carpet. Even if this is your biggest favorite, don’t come from far away - the more you attack and bring charges, the more the insider realizes his level of responsibility and will quickly reveal the cards.
    7. Next, discuss ways of returning data and correcting the situation - perhaps the employee will tell you what to do within the framework of the motives that motivated him. Encourage the employee to cooperate in a pre-trial procedure, conclude a pre-trial agreement with him, in which clearly discuss the substantial penalties for possible insider activity after his dismissal from the company, assure this agreement with a notary.
    8. Simultaneously with the start of negotiations initiate the dismissal process.
    9. After the story is over, make the process public (but not derogatory!), Study the reasons, find the gaps, draw conclusions and finally deal with closing security holes.

    Prevention Decides

    In corporate security, it’s better to prevent than to prevent it later. Honestly, 100% protection will not give anything, there will always be an unreliable technology or a corrupt person, there would be a desire to receive your information. But this does not mean that you need to give up your hand, decide "be what will be" and let the security control go on its own. The smallest preventive measure reduces risks, which means that you need to work on ensuring safety.

    Here is a short checklist of measures that will allow you to protect corporate information.

    • Define policies with clear delineation of access rights according to the list of employees. Workers must clearly and unequivocally understand what information and with what rights can be used by them. Exactly the same as the fact that the work they have done and performed is the property of the company (roughly speaking, bought for wages).
    • At the stage of hiring, register with separate documents agreements on trade secrets, access to information, NDA. The employee must familiarize themselves with the documents and sign them simultaneously with the employment contract. Of course, the wolf steals a few sheep, but the possible legal consequences will significantly reduce negative aspirations.

    Uber acquired the Otto startup with founder Anthony Lewandowski for the development of the unmanned vehicle business. By the end of 2017, Uber began to break into the leadership of unmanned developments, but at the same time, Uber's rival, Waymo, sued the company for stealing corporate secrets. It turned out that the developer of Lewandowski, a former Waymo employee, stole over 14,000 confidential technical documents, drawings and other files from the company before leaving the company to use them in the very startup that Uber acquired. The company faced legal prosecution for using someone else’s technology in the development of unmanned vehicles and for actively covering the theft of trade secrets. The court was postponed several times while the public hearings are going on, but it says a lot that the struggle is far from over 14,000 files,
    • When hiring, specify the regulations for the use of equipment, especially portable. Differentiate the rights for business and personal gadgets (for example, prohibit rolling the CRM mobile application onto a personal smartphone).
    • Use specialized workflow software. So, the client base is best accumulated and stored in a CRM system (preferably located on your server and with the functionality of logging user actions, events and with the possibility of establishing access rights).
    • Monitor employee actions. No, it should not be paranoia in the form of a camera behind your back or a total keylogger, but it is mandatory to monitor changes in the IT infrastructure and unusual, abnormal events. For example, the suspicion of a system administrator (or security service) should cause copying or downloading large amounts of data, actively copying or sending files at lunchtime or during or before the interval of a working day.
    • Make backups. This advice can be safely written in each article on Habré, and all the same they will be made either "already" or "not yet." Backups are not some kind of whim of a vendor or company leader, it’s saving on the consequences of negligence: the extortionist will not receive a single ruble, because there is a copy of all the data; the vengeful admin quits with nothing - backups were protected; the salesman is in vain glad that he has erased the entire customer base - it is securely reserved. Especially pay attention to creating backups, if you are working with a cloud-based CRM system or other service - backups can be done on special conditions or exclusively for a fee, this may come as a surprise.
    • Pay attention to the cloud technologies that you use in business. When working with them, the easiest way is to forget who has which accesses are open and who owns which accounts. Be sure to continuously monitor current accesses. The cloud generally relaxes - for example, many save passwords in the browser and do not log in each time they log in, but keep the application on a fixed tab. In addition, if your employee transfers their login from cloud-based CRM to competitors, you can only find out about this when you realize that all your customers have already closed deals with your competitors.
    • Pay attention to what applications and services an employee uses on a working PC. Particular attention should be paid to cloud services with shared access (for example, Google Docs). It has been repeatedly noted that employees continue to access files even after dismissal. Moreover, if there are a lot of files (commercial offers, contracts, agreements, price lists), then cutting off all accesses at once is almost impossible. Choose corporate analogues with permissions and roles (for example, in RegionSoft CRM we provided the ability to attach agreements, KP and other files to the client’s card so that all documentation was stored in a central database on the company’s server, rather than in vain).
    • Strongly forbid employees to use personal email for login in work services, whether it be CRM or Google AdWords. An employee may not observe basic hygiene in the field of security and compromise his e-mail, and there are not far from corporate systems.
    • Develop a BYOD policy (Bring Your Own Device) - the use of personal devices and gadgets for business purposes and on the premises of the company. There was a case that one very large food company forced employees to put mobile phones in a drawer for the whole working day. This, of course, is an excess that reduces the loyalty of employees. But certain restrictive measures for developers, testers, sales managers, technical support specialists should be.

    Another story is related to an elite plastic surgery clinic in Beverly Hills. The famous surgeon Zain Kadri hired an employee who first worked as a driver and translator, and then went on to work with data and phone calls. The girl was engaged in taking medical records of patients and information about their credit cards on a corporate smartphone (do you still remember that we are talking about Beverly Hills?). In addition, she took unethical photographs of patients before and during surgery. The case is at the investigation stage, the former employee already claims that revenge drove her, but there is a version that the matter is in the paid unfair competition.
    • Force employees to think up normal passwords, prescribe masks for entering complex combinations, check if the password hangs on the monitor and does not lie under the keyboard. This may seem very funny from the outside, but it is a significant step in safety.

    A Minute of the Beautiful - Top of the Worst Passwords of 2017 from the SplashData Worst Passwords of 2017 Report
    1 - 123456 (rank unchanged since 2016 list)
    2 - password (unchanged)
    3 - 12345678 (up 1)
    4 - qwerty (Up 2)
    5 - 12345 (Down 2)
    6 - 123456789 (New)
    7 - letmein (New)
    8 - 1234567 (Unchanged)
    9 - football (Down 4)
    10 - iloveyou (New)
    11 - admin (Up 4)
    12 - welcome (Unchanged)
    13 - monkey (New)
    14 - login (Down 3)
    15 - abc123 (Down 1 )
    16 - starwars (New)
    17 - 123123 (New)
    18 - dragon (Up 1)
    19 - passw0rd (Down 1)
    20 - master (Up 1)
    21 - hello (New)
    22 - freedom (New)
    23 - whatever ( New)
    24 - qazwsx (New)
    25 - trustno1 (New)

    Our personal favorites are trustno1, starwars and dragon. As you can see from the data in brackets, passwords wander by rating from year to year. And it is not without reason that we think that some of the employees of Russian companies are not far from this list.

    After the dismissal of employees, delete their accounts, archive mail (do not delete - it can be useful both for work purposes and in possible proceedings), disconnect from instant messengers and group chats. Examples are known when, even 3 years after leaving the company, employees retain access to the corporate portal, CRM, and numerous work services.

    Banal and simple advice - inform employees about the possibilities of leaks and hacks. Alas, out of ignorance of leaks, there is no less than due to malicious intent.

    As you can see, the advice is very simple, but the pathological greed and carelessness of the company's leaders continue to bring tangible troubles to the business.

    I'm sure there are better ways to mask data, but we don’t have a big budget

    How to secure in CRM

    In this article, we pay special attention to the CRM system, not only because we are the developer of RegionSoft CRM and know about the importance of CRM in security, but also because today every company sooner or later comes to implementing CRM. And this means that it is important to use the program correctly so that it does not become a weapon against you.

    Modern CRM systems include valuable data: the customer base itself, the sales funnel, product and service names, contract terms, documents, and much more, including financial information. Can you imagine how priceless a competitor is to get all your customers who are at the decision-making stage? Got a base, made an adjustment, added a discount and collected revenue. That is, each customer record in CRM has overvaluation, since it contains all significant confidential information. So, CRM should be protected as much as possible from greedy to profit insiders.

    • Choose a CRM system with built-in security mechanisms - at a minimum, there should be the possibility of delimiting user access rights.
    • Try to choose a desktop solution - stealing data from CRM with central storage on your server is much more difficult than in the cloud. In addition, it is easier to protect your server with additional tools and control access to it.
    • Monitor the actions of employees in the CRM system: the program should be able to log actions, log processes and events, etc. You can always determine who downloaded the reports, uploaded the customer lists, performed certain actions.
    • Give access to the CRM-system only to those employees who really need it to work. Do not allow employees to freely and unofficially browse the customer lists of other employees.
    • Grant access to new employees gradually, do not immediately discover all the functionality - give full rights in accordance with official duties only after the end of the trial period.
    • Whenever possible, use encryption when transferring data. Even the elementary transfer of important files in archived form with a simple password will ensure minimal security.

    CRM system - a safe for your corporate information related to customers and transactions. It is in your power not to leave this safe wide open. Remember: any problem with data leakage from the CRM system is a direct threat not only to you, but also to your partners and customers.

    Thus, I am not forced to spend all this money on the whims of cybersecurity

    You can talk about security in a company endlessly - each of us has a history of failure and a history of success. We learn to trust employees, but are forced to limit them. Security is fraught with many material, financial, moral factors and is not always comfortable for all participants in the process. But if you follow the high-speed driving mode, what's the difference, how many cameras and radars will your car take? Probably, everyone should think about this: both managers and employees.

    If you need reliable powerful CRM, our site is waiting for you.

    And we are already actively rocking our channel in Telegram , in which we write not quite formal things about CRM and business without advertising. Come in, sometimes there is a little light.

    Only registered users can participate in the survey. Please come in.

    How is your company with information security?

    • 34.4% Everything is thought out, configured and working 30
    • 13.7% There are systems and tools, but they do not work 12
    • 31% Do nothing for security - who needs our data! 27
    • 10.3% We have critical information, but nobody protects it 9
    • 10.3% We just have a security hole and something can clearly leak into it 9

    What do your company do for data security?

    • 7.6% Everything possible in the industry 6
    • 29.4% Do Nothing 23
    • 26.9% Control traffic 21
    • 37.1% Do not use cloud systems 29
    • 29.4% Prohibit public discs and vaults 23
    • 19.2% Put protection on USB 15
    • 23% Limit the use of personal devices 18
    • 37.1% Set up complex password policies 29
    • 20.5% Limit the volume of incoming and outgoing letters 16
    • 10.2% Use two-factor authentication for mail and services 8
    • 30.7% Limit the pool of IP addresses for services 24
    • 8.9% We have something more interesting! I will tell you in the comments 7

    Also popular now: