​Data Theft Aids Tech Support Scam

Organizations need personnel and technology controls to prevent employees from stealing corporate and customer data.

Comments Views

​An employee at Trend Micro allegedly stole information on 70,000 customers to help a fake IT support scam, PC Magazine reports. The anti-virus company says the employee accessed a database and sent names, email addresses, phone numbers, and support ticket numbers to the alleged scammers.

The company says those individuals, in turn, contacted customers, posing as technical support staff. Typically, IT support scams try to charge victims for unnecessary services, PC Magazine says.

Trend Micro says it hasn't found evidence that the employee exposed credit card or financial information, nor did the employee access information on government or corporate customers. It has since fired the employee.

Lessons Learned

Preventing employees from stealing data is a necessity. Customer data, employee records, software code, engineering designs, and business strategies are particularly vulnerable to data theft.

While the human resources (HR), IT, and legal functions all are vital for preventing data theft, it is not any one function's job. Instead, the best defense is an integrated approach involving all employees. Here are two areas where organizations need effective controls, along with some strategies that internal auditors can recommend and help implement.

1. Employee Recruitment, Onboarding, and Offboarding

A variety of research indicates that employees commit data breaches unintentionally because they aren't aware of how the organization governs its data. But organizations can blame ineffective recruitment screening, onboarding, and offboarding processes, as well.

Recruitment Before hiring new employees, the organization should conduct thorough background checks, including reviewing their social media presence. It should look for signs of tolerance of theft, laxness in security protection, and similar traits.

Onboarding Upon hire, new employees should attend required sessions covering the organization's data sharing, ownership, and privacy policies. During these small group sessions, HR executives should ensure employees understand the data security, ethics, and conflict-of-interest sections of their employment agreements. Employees also should be aware of the organization's privacy and data security policies and procedures.

Additionally, the organization should conduct mandatory training on its data sharing, ownership, security, and privacy policies. This session should test new employees' comprehension and ability to document these processes.

Off-boarding When employees leave the organization, devices issued to them should be scanned and verified for organizational data. These devices should include laptops, tablets, smartphones, and removable media.

Because different employees have access to different types of data, the organization should maintain a record of each employee's access privileges. It should reset or delete all of an employee's accounts, access privileges, and passwords upon his or her departure. The organization also should hold former employees accountable for any data breach that is traced back to them.

These recruitment, onboarding, and offboarding policies should be implemented in combination with other measures designed to help detect and deter data theft such as a whistleblower program and providing information about the consequences of data theft.

2. Technology Measures Against Data Breaches

IT measures that can help prevent data theft from happening include:

  • Role-base and access-based controls. Limiting data access to only what is required for a particular job and logging user interactions with the data can reduce the chances of theft. For example, a junior-level software developer should have well-defined, limited, or even no access to a primary database. Tracking software can enable organizations to monitor activity within an intranet or network.
     
  • Separate devices for professional versus personal use. Many organizations allow employees to use the same devices for personal and professional use. This blurred boundary between business and personal data can lead to incidental or intentional data breaches. If a single device is allowed for both purposes, the organization should monitor usage of the device and install software to keep each usage separate.
     
  • Establish strict controls over use of removable storage and cloud services. Organizations should restrict employees' ability to access, copy, and move data, and limit access to all forms of removable storage and cloud services. The best solution is to prohibit data copying, whether by email, photocopy, screen shot, camera, or by hand — or even eliminate all the external storage ports of devices. Practically speaking, though, such restrictions can result in lost productivity and employee inconvenience. The next best method is to monitor all forms of data copying, movement, or exchange from the organization's systems. To this monitoring, organizations should add random, in-depth spot checks of employee behavior and audits of control measures.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx

 

Comment on this article

comments powered by Disqus
  • AuditBoard_Apr 2020_Premium 1
  • Fastpath_Apr 2020_Premium 2
  • IIA Membership Centers_Apr 2020_Premium 3