Technology can cure a lot of security problems caused by insiders, but not someone determined to get around the rules. That seems to be the lesson from a CBC news report today about Canada Revenue Agency (CRA) staff members continuing to flaunt policies that forbid them from accessing the tax files of Canadians.
According to Access to Information documents uncovered by the public broadcaster there have been nine significant cases of tax workers wrongly looking at the files with details on income, deductions, benefits, payments and employment — this despite spending $10.3 million on technology to impose access control.
The good news: CRA says it has fired eight of the nine workers caught so far this year.
It’s not like these are people who just want a peek at a file or two: In one case an employee made unauthorized access to the accounts of 90 acquaintances and family members, a business and his/her own account, according to files found by the CBC. Another staffer improperly accessed the accounts of 227 businesses and individuals.
Insiders are a knotty problem: The information some have access to in any organization is tempting, particularly in tax departments where it’s personal. How big the problem is across industries isn’t clear. Some security vendors publish high estimates of the inside threat, but when pressed admit that they assume all intruders are insiders, because to get around a network an intruder either is an insider or has stolen an insider’s credentials. When you separate true insiders from external actors — as Verizon does in its annual breach report — the number is around 20 per cent.
That means the vast majority of an enterprises’ employees are trustworthy. Still, 20 per cent is not to be dismissed.
One expert has suggested there are tell-tale signs of people might be willing to take risks that managers need to watch for, one of which is an employee who has a grievance against the organization. I’m not sure in Canada Revenue’s case that’s the problem. The problem there is temptation.
So the first defence is regularly reminding employees about the perils of accessing data they have no business being near. The second is the technology piece, implementing access control.
Also note the federal privacy commissioner’s office has issued a list of 10 tips to prevent employee snooping and data theft. CSOs should remember tip 7: Proactively monitor and/or audit access logs and other oversight tools. Hopefully, that’s how CRA’s nine offenders were caught.