Employee Breach of Confidentiality

Issue

An organization named ABC*, which dealt in architecture landscaping design tasks for their customers, faced employee breach of confidentiality issue. This incident came to light when it suddenly started losing its customer’s service orders.  

 This organization had many overseas customer landscaping designing orders. Fundamentally, it had just workforce of forty employees. Its information systems assets consisted of fifty devices, of which forty were computers, five normal switches, four servers and one ISP router.

One day this organization suddenly started losing nearly approached final orders from their long years of trusted customers. The organization’s director thus called for investigating the matter immediately after getting this information. Upon investigation, he soon learnt that his competitor has offered at the last minute a similar plan at lower consultation cost than the organization. 

The director suspicion rose about organization’s confidential data theft from his organization’s information systems, when he received the proposal drawings from his client which supposedly looked similar to his organization’s drawings. The director’s suspicion was based on knowing the status of all employees in the organization along with one employee resignation from the organization, a few weeks ago. It was difficult for him to ascertain who was responsible for organization’s confidential data theft, as all the organization’s employees had free access to the internet and personal emails. Thus, the director decided to conduct further investigation of this matter and contacted Shashwat Solutions for further consultation.

This ABC* organization had not created proper policies aligned with ISO27001 information security management policies and had no proper documentation for information security risk treatment. The company did not make their employees sign organization’s business non-disclosure agreement (NDA) being a small enterprise, putting the organization’s business at their risk. 

Hence, post investigation, Shashwat Solutions consulted the organization in implementing the security measures for the organization such as implementing the ISO27001 compliance. We created security policies for the organization as per ISO27001, organization’s security risk assessment documentation and implemented various security measures which are required as a part of ISO27001 compliance which was absent within the organization’s information systems.      

Thus, the issue clearly highlights how easily a disgruntled employee can steal organization’s confidential information when the organization doesn’t have proper information systems security in place. Furthermore, this issue shows the ways in which a disgruntled employee can use this organization’s confidential information, which can mainly lead to loss of business customers to its competitors.

Investigation

Upon the organization’s director investigation request, Shashwat Solutions undertook this investigation case.

Shashwat Solutions primarily interviewed the director, who expressed suspicion on specific five employees. We decided to first investigate the computers of five suspicious employees specified by the organization’s director.

While investigating, we initially found out that the employees had free access to the internet and no websites were blocked. Later, when we checked the network diagram of the organization, we discovered that the organization did not have any firewall security installed between the internet an internal organization’s network. This was the first red flag which made the entire organization’s information system assets vulnerable to attackers very easily. 

Also, while investigating, we identified that the organization’s employee system’s USB has not been blocked and shared folder data of respective department was easily accessible to almost everyone in the organization. We identified this second red flag, where it was easy for a disgruntled employee to steal organization’s confidential information and misuse it. Thus, the organization’s data security breach was very easy. This organization’s security weakness advantage was taken by one the organization’s resigned employee, which we later found while performing forensics on suspicious organization’s employee system.      

While conducting forensics on suspicious organization’s employee system, we identified that the resigned employee had forwarded the organization’s confidential proposal information to his personal email by logging on to his  personal email address. We verified the same using forensic tools logs and report. On examining the drawing files forwarded from the resigned employee’s system with the low-cost proposal drawing received by the organization’s director from his client, it was an exact match.    

Additionally, during investigation, third red flag was identified that USB port was open on all organization’s employee system and numerous unwanted logical ports were open in the organization’s network. Besides that, it was found that neither this organization had framed their information security policies nor it mandated its employees to sign non-disclosure agreement with disciplinary action on breach of confidentiality.     

Thus, during the investigation phase, three critical severe red flags were identified and reported, which proved the organization lacked basic information systems security and ISMS compliance for managing organization’s sensitive data. Moreover, this case proved the damaging consequences of providing unrestricted access of organization’s confidential information to its employees.

Analysis

Post revival of the organization’s business needs and expectations of the organization’s director, Shashwat Solutions explained him the resources required to secure his organization’s information systems. Also, we guided him to procure information security resources such as firewalls and servers. We recommended him to include return of organization’s assets clause in the employee’s NDA agreement and promote ISMS continual improvement into the organization’s process to maintain strong organization’s information security. Then, we consulted this organization in creating their information security policy, forming action plans to address risk and opportunities, planning and improvement tasks.

As a part of corrective action, initially we reconfigured the organization’s network  by adding two servers, a firewall and blocked unwanted ports in it. One of the server was configured as FTP and other as DMZ. Then, we configured organization’s end user policy, blocked specific websites and set log monitoring function to record the ongoing activity in the firewall. Also, we blocked system USB ports of all employees and configured their systems to save files directly on FTP server and maintain clear desktop policy. Additionally, to prevent unauthorised access, we configured username and password with force password change time-limit for each employee under FTP server storage policy. Further, we created an offline backup secure server and set it to backup organization’s data on weekly basis. In addition, we suggested this organization’s director to get system/network security and firewall configuration awareness training from our consultancy.    

This implementation will thus help safeguarding and preventing theft of confidential organization’s information and become ISO27001 compliant. Also, it will help the organization to produce supportive evidences during ISO27001 Audit, Management Review on ISMS, identify improvements and act while taking corrective action guide in case of security incidence.

Client Testimonials

Know  what our customers have to say about us.

Our Clients