“I’ll Just Copy & Paste That into Excel so I can Work on it at Home…”

“I’ll Just Copy & Paste That into Excel so I can Work on it at Home…”

A year after the actual laptop filled with 620,000 person’s personally identifiable information (PII) and personal health information (PHI) was stolen from Medicentres Family Care Clinics, Danielle Smith of the Wildrose Party in Alberta Canada asks: “Why did all of this information exist in a single file on a computer in the first place?” I’m sure it was the same old reasons. Most of the time it’s about a worker who is high on work ethic, but low on security awareness trying to do what they see as a good thing. So they take data out of what was likely a well-protected structured application and use the weapon of mass destruction built into every PC and personal device (it’s called copy and paste) and they create a spreadsheet or document. They don’t mean to create a huge risk. Of course, if you’re regularly scanning all the machines and file shares where people who have access to sensitive data can possibly store this type of data, you could find it. However, that would require having the ability to scan, the knowledge of where sensitive data lies, and the knowledge about who has access to what. This level of access control is a puzzle most people haven’t even taken out of the box yet. They haven’t even realized they are missing pieces.

Better security awareness could go a long way here. If every person who is supposed to have access to sensitive data were required to go through a 30 minute 1 on 1 meeting with a security professional to let them know the ways they could get in trouble, many of these headlines would disappear. Not all would, though. So along with awareness you will require a program to both prevent these situations from occurring, as well as detective controls to see when things slip through the cracks. After all, perfect prevention requires flawless prediction. Flawless is a standard no one can expect to meet. Everyone knows the old expression: “trust but verify”. You do want to train your staff and trust they will understand and deploy the training well. You also want to put detective controls in place to ensure that when they make mistakes the first thing that catches them is your system and not a bad guy.


Learn About STEALTHbits’ Solutions

StealthAUDIT – Data Collection, Analysis, Remediation, and Reporting for Microsoft Infrastructure, Applications, and Beyond

StealthINTERCEPT – Real-time Monitoring and Control over Change and Access for Active Directory, Exchange, and File Systems

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.