SAN FRANCISCO – WikiLeaks’ release of secret government communications is a warning to the world’s biggest companies: You may be next.
Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. There is nothing about WikiLeaks’ release of U.S. diplomatic documents to suggest that the group can’t — or won’t — use the same methods to reveal the secrets of powerful corporations.
Additional Photos
And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there’s new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider.
At risk are e-mails, documents, databases and internal websites that companies think are locked to the outside world. Companies create records of every decision they make, whether it’s rolling out new products, pursuing acquisitions, foiling rivals or allowing executives to sell stock.
Although it’s easy technologically to limit who in a company sees specific types of information, many companies leave access settings far too open. And despite intentions, mistakes happen and settings can become inadvertently broad, especially as networks grow more complex with reorganizations and acquisitions.
And even when security technology is doing its job, it’s a poor match if someone with legitimate access decides to go rogue.
All an insider needs to obtain and leak secrets are access and a cheap thumb drive. contrast, outside attackers often have to hack into personal computers at the bottom of the food chain, then use their skills and guile in hopes of working their way up.
Employees go rogue all the time — for ego, to expose hypocrisy, to exact revenge or simply for greed:
n A former analyst with mortgage lender Countrywide Financial Corp., now owned by Bank of America, is awaiting trial on charges he downloaded data on potentially 2 million customers over two years, charging $500 for each batch of 20,000 profiles. Prosecutors say the analyst worked secretly on Sundays, using an unsecured Countrywide computer that allowed downloads to personal thumb drives. Other home loan companies bought the customer profiles, including Social Security numbers, for new sales leads, according to authorities.
n An employee with Certegy Check Services Inc., a check authorization service, was accused of stealing information on more than 8 million people and selling it to telemarketers for a haul of $580,000. He was sentenced in 2008 to nearly five years in prison.
Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with the Mandiant Corp., a Virginia security firm that investigates computer intrusions.
WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy.
To protect themselves, companies have many options.
Alfred Huger, vice president of engineering for security firm Immunet Corp. in Palo Alto, said companies could simply configure their e-mail servers to restrict who certain people can send documents to.
Other measures include prohibiting certain people from copying and pasting from documents, blocking downloads to thumb drives and CD-ROMs, and deploying technologies that check if executives’ e-mails are being checked too often — a sign that an automated program is copying the contents.
But the more companies control information, the more difficult it is for employees to access documents they are authorized to view. That lowers productivity and increases costs.
“You run the risk of creating an environment that’s so rigid that people can’t do their jobs,” Huger said. “You have to find that balance. Unfortunately, there’s no panacea.”Companies with poor safeguards may be the next to see sensitive documents shared with the world.
Copy the Story LinkSend questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.