Think like an attacker and save the emotion for later.
To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book
In early December 2017, the Israeli pharmaceutical generics company Teva announced it would lay off about 1,700 of its employees in Israel, who make up about 25% of all the company’s employees in Israel, out of a total workforce of 6,680 employees. Without diving into the emotional implications and political opportunities the big layoff creates — I suggest taking a different look at the problem.
Whether you are a startup or a company with 150,000 employees, manage the risk as part of the process. You can always cry later.
What kind of risk are you creating when you fire a big chunk of your work force?
When a big global, publicly-traded company like Teva decided to fire a big piece of it’s work force — it’s to reduce costs in anticipation of reduced revenues and preserving or improving the share prices. The CEO doesn’t personally fire the employees and it’s a financial and risk management move.
When a startup with 15 employees fires 10 people, it’s for survival.
Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since companies view information security as a luxury, not as a must to run the business.
There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 1700 employees are being fired in a short period of time in a business unit.
When firing large numbers of employees, the unauthorized network transfer of sensitive digital assets belonging to the company should be (but is rarely) a key concern for the CEO. Here are a few true examples of trusted insider theft of digital assets and intellectual property during a big RIF — all cases are true:
- Sending suppliers classified RFP documents
- Exploiting production servers with anonymous file transfer protocol (FTP) turned on in order to send large quantities of confidential product design documents
- Break-ins, bribes and double agents (workers who spy for other groups or companies) taking advantage of the chaos caused by RIFs and strikes.
The business need to use advanced technology to detect and prevent data loss drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure (like Teva), the need for data loss prevention becomes more acute as more and more people are involved with less and less allegiance to the firm.
High risk appetite and waiting until the last minute?
In my experience (and this is supported by prospect theory), highly paid CEOs wildly underestimate to the point of ignoring them completely, high impact, low frequency events like trusted insiders and outsourced IT staffers stealing IP during a big RIF.
In normal times, a key part of formulating and establishing information security policies for your organization is in deciding how much risk is acceptable and how to minimize unacceptable risk.
This process initially involves undertaking a formal risk assessment which is a critical part of any ISMS. However — it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process.
Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.
When a company fires wide-scale — the word dynamic and continuous takes on new meaning. We are no longer in Kansas anymore where we can ask KPMG to come in and do an organizational risk assessment using their standard questionnaires.
When you’re firing, think like an attacker
If you’re a startup firing a lot of employees, it’s a traumatic experience. Maybe the worst day of your life.
In times of massive layoff — you need to throw away the standard forms and use a threat-analysis based checklist to reevaluate your digital value at risk on a daily basis. The rationale behind the threat analysis is to mitigate the tendency of top management to ignore high-impact, low-frequency events:
- Think like an attacker. What would you steal if you had the opportunity?
- Use systematic approach to estimate magnitude of risks (risk analysis).
- Compare estimated risks against risk criteria to measure the significance of the risk (risk evaluation)
- Define the scope of the risk assessment process to improve effectiveness (risk assessment)
- Undertake risk assessments periodically to address changes in assets, risk profiles, threats, safeguards, vulnerabilities and risk appetite (risk management)
- Risk measurement should be undertaken in a methodical manner to produce verifiable results (risk measurement)