By Kevin Oklobzija, originally published in The Daily Record on November 6, 2020.

Internal cybersecurity: Company do’s and don’ts

The emails and company alerts come often within the workplace, imploring employees to be vigilant when it comes to cybersecurity.

Phishing expeditions, malware attacks and ransomware threats are priority one for every information technology department.

But what happens if the threat is internal? What happens when an IT employee is actually the intruder?

That is what is alleged to have happened at Trillium Health. The U.S. Attorney’s Office filed charges in late October against Ameer Elashmawy, claiming the former information systems security support coordinator at Trillium had stolen usernames, passwords and information to the personal accounts of at least 14 employees.

The alleged crimes were committed after Elashmawy used his IT credentials to access employee work stations.

“Normally we think of a cyber breach as phishing, malware or ransomware,” said Greg Gribben, chair of the cybersecurity practice group at Woods Oviatt Gilman, who suggests companies create their own set of internal checks and balances. “Employee training, having risk assessments every year and perhaps a periodic audit to see if peoples’ workstations are being accessed. Sample files to see if anyone has accessed them; ‘Why is this IT person always going on theses peoples’ computers?’”

But regardless of security firewalls and employee training, the human element will always play a role.

“An organization is only as strong as its weakest link,” said Anna Mercado Clark, leader of the data security and privacy team at Phillips Lytle. “So what can you do on the front end? Because if there is a breach, how do we ensure that data is preserved?”

One way: Make sure critical data isn’t erased too early. Access logs that indicate who accessed a computer system or particular email certainly shouldn’t be erased every 30 days or even every 90 days. Preserving information such as access logs at least allows you to follow the trail to who may have committed a breach.

Along with regular audits, regular software patches are wise, she said. A shared administrative password is not a good idea, but requiring more than one person to sign off on an access request could be wise.

“And you should not make all data accessible to all employees,” she said. “Even if an employee has access, don’t allow them to download or export that data.”

That was a lesson learned from the Equifax data breach of 2017. If data must be extracted, limit how much can be accessed at one time, she said.

With data breaches comes possible liability. Employers are liable for conduct by employees such as the IT staff when it comes to things “they do within the scope of their business,” Gribben said.

In the case of a rogue IT employee, as long as the employer didn’t knowingly hire someone who was obviously unfit for the position — such as someone with a record of cyber theft — then proving negligent hiring is difficult, Gribben said.

The Trillium case could be a prime example of why company work stations should not be used to access personal accounts such as social media or banking. That perhaps should be part of employee training and the employee handbook.

“Incorporate employee responsibility when it comes to company data,” Clark said. “If an employee is sending personal information over the work network, perhaps they are doing other unhealthy activities that put your data at risk.”

And while it also would seem to be a no-brainer that access to any and all work devices would end the instant someone becomes a former employee, “you would be surprised how often organizations don’t cut off access when someone is terminated or leaves the company,” she said.

A common-sense rule of thumb from Clark: “Just because you’re in IT doesn’t mean you should have access to everything.”