When HR doesn't want to manage human resourcesI've been working behind-the-scenes with a startup as it builds itself from a small company into something much larger. They recently brought on a new person to manage Human Resources. This is the person responsible for keeping track of everyone's information, making sure it's safe and ensuring that everyone adheres to proper procedures. I logged into a database that this person built. But what did they have in that database? Photographs of people's government-issued IDs. These documents included their addresses, phone numbers, everything – just sitting in a regular database with no password protection or encryption. I thought that was pretty bad, but I was not hired to manage that sort of stuff. Then came the day for me to include my government-issued ID in the same database. The conversation went something like this:
HR: Thanks. I will also be needing a copy of your ID (front and back) for BHR. Me: You're not giving up on that ID, are ya? I am uncomfortable giving out information that personal and having it displayed freely on APP1, APP2, or hosted on servers whose security protocols I am unsure of. HR: Yup. I need the ID of all employees/contractors for APP2. Me: And I need to protect myself from identity theft. What can we do? HR: This is hard. Me: It is. I am honestly shocked to see people's passports freely displayed on APP1. HR: Maybe you shouldn't be in that APP1 lol. We need the ID because of the non-disclosure agreement and, of course, for us to know they are who they say they are. Me: I don't think anyone should be on it. With all of the employee data leaks going on, it's time to take a hard look at where this data is, who has access and if it even needs to be there. HR: You have a point. Me: Studying data access and infosec weaknesses, is one of my jobs here.... HR: A separate board might work. Not everyone has access to those info unless they will be added.... Me: Hackers don't worry about being added. The key to data protection is not creating the data in the first place or limiting how many places it is displayed. These are questions that must be answered, especially by the person (you) who is in charge of handing it securely. I don't want to sound harsh, I want to help protect everyone. It's why I worked in high-end security for years and years. HR: Got you. I don't think there's a better way to protect any data aside from not creating the data as you have mentioned. In my end, I also need the ID as a company requirement for the employees/contractors. So, what do you suggest? Me: Look at your data flow:And then this person proceeded to completely ignore my advice. He will keep on doing this… until it breaks.
I think about this stuff; it is why I worry about identity theft. People that don't think about this stuff become victims. I think all storage on APP1 servers needs to be cut. If you need it for APP2, leave it there. It's in enough places as it is, as you can see above. It was easier in the old days. An HR person photocopied your ID and stuck it in a locked drawer. Very minimal infosec risk. Now? HR: Thank you for your time. Let's talk more next time if you're available. Me: Again, I don't mean to give you a hard time. But seeing those passports up on APP1 alerted me to the fact that data handling and employee records may need a look at, especially with information so ripe for identity theft. I appreciate you taking this seriously and discussing it with me. HR: I understand where you're coming from and I appreciate you sharing this info with me.
- The image is taken by the employee. Likely using a phone so the ID ends up on their cloud.
- It's shared on APP3 or through email, so it ends up on the APP3 or email server.
- It is put on APP1 and displayed for those with who knows what access. (Like me)
- It is in the APP1 servers.
- It's on the APP2 servers for another infosec leak problem.
- Did APP4 take a screenshot while my image was up? Another server with my ID...
Digital marketing is awesome… Now let's forget that it's digitalI was recently in discussions with a prominent marketing magazine. I was proposing a basic article on how people can protect their digital marketing platforms, such as Twitter, Facebook, YouTube, etc. That particular section editor I was speaking to dealt exclusively with digital marketing. I had contacted this person on purpose. People who read the section this editor dealt with deserve to know not only how to improve upon their digital marketing but also how to improve it overall. Wouldn't it be funny if improving it also meant not being hacked? I brought up a number of points in my proposal related directly to brands and prominent business leaders that had experienced a digital marketing hack:
- Forcing employees to use strong passwords
- Using a password manager tool
- Using two-factor authentication on the main accounts
- Routing employees through one main dashboard rather than several to better control their access
- Teaching employees about phishing
- Educating employees on the dangers of public Wi-Fi and not using VPNs on them
One last time… Without feelingI seem to be a glutton for punishment. The above two instances were not enough to turn me off to speaking to people outside of the digital security realm. This time, I decided to speak with a publisher that dealt with employee training. Having me speak to them about training employees for basic digital securities seemed like a good idea. I wanted to bring up things like:
- Basic digital security: Using antivirus software that updates regularly, turning on firewalls, being cautious of links in unknown emails and avoiding unknowing USBs.
- Authentication issues: Locking down devices with passwords, two-factor authentication, restricting who can access devices, and educating employees about proper physical location security.
- Use of encryption: Using VPNs to encrypt yourself on public Wi-Fi connections, using whole-disk encryption, and making sure that they are choosing encrypted cloud providers.
Speaking to someone in digital securityI recently had the pleasure of speaking to a new friend who is directly involved in the IT administration of a major hospital. I told her the first story from above and she just shook her head and laughed the whole time. She was involved in digital security. She got it. The HR person? Still doesn't get it. He also still isn't going to get my government ID. What have we learned here today? Good question. If you are someone with more patience than I, you can keep pushing and eventually get through to some people. If you're not patient, you can give up, let people know that you've given up on them, and it may bring them around. Until then, no one will care about digital security… until it breaks and they come to us with the audacious claim that WE didn’t do enough.
About the Author: Marcus Habert (@MarcusHabert) is the online security writer and analyst for the Best VPN Provider Online Security and Privacy blog. Catch him there every Wednesday for the latest developments in the world of infosec. You can also join the team on Twitter for a constant stream of what’s happening in online security and hacks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.