- +(91) 9225246815
- ajay@shashwatpune.com
- Mon - Fri: 9:00 - 18:30
Employee Breach of Confidentiality
Issue
An organization named ABC*, which dealt in architecture landscaping design tasks for their customers, faced employee breach of confidentiality issue. This incident came to light when it suddenly started losing its customer’s service orders.
This organization had many overseas customer landscaping designing orders. Fundamentally, it had just workforce of forty employees. Its information systems assets consisted of fifty devices, of which forty were computers, five normal switches, four servers and one ISP router.
One day this organization suddenly started losing nearly approached final orders from their long years of trusted customers. The organization’s director thus called for investigating the matter immediately after getting this information. Upon investigation, he soon learnt that his competitor has offered at the last minute a similar plan at lower consultation cost than the organization.
The director suspicion rose about organization’s confidential data theft from his organization’s information systems, when he received the proposal drawings from his client which supposedly looked similar to his organization’s drawings. The director’s suspicion was based on knowing the status of all employees in the organization along with one employee resignation from the organization, a few weeks ago. It was difficult for him to ascertain who was responsible for organization’s confidential data theft, as all the organization’s employees had free access to the internet and personal emails. Thus, the director decided to conduct further investigation of this matter and contacted Shashwat Solutions for further consultation.
This ABC* organization had not created proper policies aligned with ISO27001 information security management policies and had no proper documentation for information security risk treatment. The company did not make their employees sign organization’s business non-disclosure agreement (NDA) being a small enterprise, putting the organization’s business at their risk.
Hence, post investigation, Shashwat Solutions consulted the organization in implementing the security measures for the organization such as implementing the ISO27001 compliance. We created security policies for the organization as per ISO27001, organization’s security risk assessment documentation and implemented various security measures which are required as a part of ISO27001 compliance which was absent within the organization’s information systems.
Thus, the issue clearly highlights how easily a disgruntled employee can steal organization’s confidential information when the organization doesn’t have proper information systems security in place. Furthermore, this issue shows the ways in which a disgruntled employee can use this organization’s confidential information, which can mainly lead to loss of business customers to its competitors.
Investigation
Upon the organization’s director investigation request, Shashwat Solutions undertook this investigation case.
Shashwat Solutions primarily interviewed the director, who expressed suspicion on specific five employees. We decided to first investigate the computers of five suspicious employees specified by the organization’s director.
While investigating, we initially found out that the employees had free access to the internet and no websites were blocked. Later, when we checked the network diagram of the organization, we discovered that the organization did not have any firewall security installed between the internet an internal organization’s network. This was the first red flag which made the entire organization’s information system assets vulnerable to attackers very easily.
Also, while investigating, we identified that the organization’s employee system’s USB has not been blocked and shared folder data of respective department was easily accessible to almost everyone in the organization. We identified this second red flag, where it was easy for a disgruntled employee to steal organization’s confidential information and misuse it. Thus, the organization’s data security breach was very easy. This organization’s security weakness advantage was taken by one the organization’s resigned employee, which we later found while performing forensics on suspicious organization’s employee system.
While conducting forensics on suspicious organization’s employee system, we identified that the resigned employee had forwarded the organization’s confidential proposal information to his personal email by logging on to his personal email address. We verified the same using forensic tools logs and report. On examining the drawing files forwarded from the resigned employee’s system with the low-cost proposal drawing received by the organization’s director from his client, it was an exact match.
Additionally, during investigation, third red flag was identified that USB port was open on all organization’s employee system and numerous unwanted logical ports were open in the organization’s network. Besides that, it was found that neither this organization had framed their information security policies nor it mandated its employees to sign non-disclosure agreement with disciplinary action on breach of confidentiality.
Thus, during the investigation phase, three critical severe red flags were identified and reported, which proved the organization lacked basic information systems security and ISMS compliance for managing organization’s sensitive data. Moreover, this case proved the damaging consequences of providing unrestricted access of organization’s confidential information to its employees.
Analysis
Post revival of the organization’s business needs and expectations of the organization’s director, Shashwat Solutions explained him the resources required to secure his organization’s information systems. Also, we guided him to procure information security resources such as firewalls and servers. We recommended him to include return of organization’s assets clause in the employee’s NDA agreement and promote ISMS continual improvement into the organization’s process to maintain strong organization’s information security. Then, we consulted this organization in creating their information security policy, forming action plans to address risk and opportunities, planning and improvement tasks.
As a part of corrective action, initially we reconfigured the organization’s network by adding two servers, a firewall and blocked unwanted ports in it. One of the server was configured as FTP and other as DMZ. Then, we configured organization’s end user policy, blocked specific websites and set log monitoring function to record the ongoing activity in the firewall. Also, we blocked system USB ports of all employees and configured their systems to save files directly on FTP server and maintain clear desktop policy. Additionally, to prevent unauthorised access, we configured username and password with force password change time-limit for each employee under FTP server storage policy. Further, we created an offline backup secure server and set it to backup organization’s data on weekly basis. In addition, we suggested this organization’s director to get system/network security and firewall configuration awareness training from our consultancy.
This implementation will thus help safeguarding and preventing theft of confidential organization’s information and become ISO27001 compliant. Also, it will help the organization to produce supportive evidences during ISO27001 Audit, Management Review on ISMS, identify improvements and act while taking corrective action guide in case of security incidence.
Client Testimonials
Know what our customers have to say about us.
With great appreciation I thank to Shashwat Solution for their enormous efforts in co-operative sector. They have very good skill in maintain good relations through their work with each and every client. May God flourish them more and wish for their ‘Shashwat Existence’ in banking and Industry.
For a long time we have been working with Shashwat Solutions. We had a great experience while working with Mr. Ajay Nikumb. He is very knowledgeable, and his readiness to help us during discussions about the system audit and Networking security has always benefited us while doing business and providing uninterrupted service to our customers in a secured service network.
We appreciate his commendable knowledge in System audit, IS Network and security.
On behalf of Management & all the employees of Pune People's Co-Op Bank Ltd., Pune, I request you to accept the appreciation for the excellent job performed consistently by you and your staff during past several months. In conducting System Audit, VAPT, and Data Migration Audit etc., though it was an enormous task you managed to perform it smoothly and efficiently! During the all assignments, I personally appreciate the professional approach, practical training on cyber security, time management, personal involvement, guidance about Do & Don'ts. I feel that Mr.Ajay Nikumbh & team had proved to be best friend, philosopher & guide for the bank. Thanks to your leadership and dedication. Due to your staff's teamwork and energy, we are enjoying smoothness in systems & procedures. You and your employees really deserves a big appreciation. I personally would like to thank you and your staff which is little difficult in present situation but I will request you to convey my gratitude and regards to all the employees of Shashwat Solutions.
We have had the pleasure of working with Shashwat Solutions Pune and even more amazing person Mr Ajay Nikumb. He is everything, His thoughtful and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has made all of our transaction seamless. I am working with Walchandnagar Industries Limited. since 2008, Designed / implement the following solutions with M/S Shashwat Solutions 1) Networking 2) MS Exchange 3) Firewalls 4) WAN Security 5) End Point Security 6) Backup solutions
जान है तो जहान है ' या उक्तीप्रमाणे बँकिंग क्षेत्रातील सायबर सुरक्षेचे पालन करून बँकिंग उद्योगासमोर येणाऱ्या नित्य धोक्यांना यशस्वीपणे सामोरे जायचे असेल तर नावाप्रमाणे शाश्वत असे सोलुशन देणाऱ्या श्री अजय निकुंभ सर यांचे आभार शाष्वत सोल्युशन पुणे म्हणजे,सहकारी बॅंका व पतसंस्था यासाठी माहिती सुरक्षेचे चालते बोलते विद्यापीठ आहे.
We have been working with Shaswat Solutions since long time and its pleasure to work with them. Mr. Ajay Nikumb from Shaswat Solutions is amazing and knowledgeable person. He is everything, His attentive and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has given us solution in each and every area of I S Network, Audit and Security.
It is my pleasure to share my thoughts on M/S Shashawat Solution & their partner Mr.Ajay Nikumb ever smiling personality We have had the pleasure of discussing our requirement with Shashwat Solutions Pune Mr.Nikumb carrying and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has made all of our transaction seamless. I wish all the best to Shashwat & Mr.Ajay in particular.& getting many more laurels.
Since 2012 we are working with Shashwat solutions pune. Whenever it comes to excellent services we can completely trust and depend on Mr. Ajay Nikumb and his team.If there is any problem regarding firewall, they will clear it off without disturbing our banks daily work routine Mr. Ajay Nikumb is truly a reliable gentleman . He has a very good listening skill, He first listens an then is ready with a solution over it. I am the Assistant general Manager (Data Centre In Charge) of Jalgaon Janata Sahkari Bank Ltd Jalgaon I am truly satisfied with the services provided by shashwat solutions at present they are providing us with firewall services
We have been working with Shashwat Solutions for almost past 15 years. We have been always impressed with their friendly but professional approach. Mr. Ajay Nikumb has always helped us in satisfying our requirements, with a Smile. We wish them a great success ahead.
Previous
Next
Our Clients
Previous
Next
