Don’t blame the employees for peeping: Organizations are at fault for poor access governance

10 Feb Don’t blame the employees for peeping: Organizations are at fault for poor access governance

SC Magazine, By Brian Cleary, February 9, 2009
The natural curiosity of employees to view the private records of political figures and celebrities is leading to people losing their jobs or being criminally convicted. Most of the these workplace incidents are not tied to identity theft or other bad intentions, they are simply employees taking advantage of access policy gaps at the companies they work for without realizing that they are breaking privacy laws and exposing their organizations to risk. A recent example of this trend occurred recently when it was revealed on Nov. 22, 2008 that Verizon had fired several employees who had looked at the cell phone records of newly elected president Barack Obama. Politicians and celebrities use cell phones, apply for passports and seek health care at major hospitals just like everyone else. Employees at these organizations need to realize that unless there is a job-related reason for them to access these records, even sneaking a peek at them is a very bad idea. However, the real problem here is not the natural curiosity of employees, but rather the poor controls for how user access is governed at these organizations.  Obama has been a prime target of these types of attacks, with three different unauthorized data breaches on his private records in the last year alone. This type of incident is something that is fast becoming a trend that companies that store sensitive personal records of politicians and celebrities have to deal with every day. Organizations are reporting with increasing frequency that their employees, out of personal curiosity or other potentially more devious motivations, are “peeping” at the account records of public figures, and suspensions and firings are being announced on an almost weekly basis.  While organizations are quick to point out that they have specific policies related to accessing sensitive information, too often these policies are confined to a three ring binder on a book shelf in the IT security or compliance office. It is wishful thinking to believe that employees will internalize these policies through training and make them part of their daily operating practice and procedure. To be effective and consistently applied, policies need to be instantiated as a set of automated controls.