Another friend who worked for a police department performed a records check on a babysitter he and his wife were considering hiring to watch their first baby. His access was later caught by a routine year-end random audit check. The auditor had selected a very small percentage of events to audit, and his illegitimate access was noticed. A 15-year employee who had once won Employee of the Year and was loved by everyone he worked with, my friend was fired. His pension was gone as well. If you met this guy, you would think he was one of the most honest, most ethical people you'd ever known. He made a mistake. He was human and he had the power.
Lesson learned: Privacy has become one of the leading computer security issues today. A few short years ago nearly everyone accepted that admins with access to a particular system might take the occasional look at records they didn't have a legitimate need to access. Those days are over. Today's systems track every access, and every employee should know that accessing a single record they don't have a legitimate need to view is likely to be noticed and acted on.
Colossal security mistake No. 6: Using real data in test systems
When testing or implementing new systems, mounds of trial data must be created or accumulated. One of the simplest ways to do this is to copy a subset of real data to the test system. Millions of application teams have done this for generations. These days, however, using real data in test systems can get you in serious trouble, especially if you forget that the same privacy rules apply.
In today's new privacy world, you should always create bogus test data to be used in your test systems. After all, test systems are rarely as well protected as production systems, and testers do not treat the data in test systems with the same mentality as they do data in production systems. In test systems, passwords are short, often shared, or not used at all. Application access control is often wide open or at least overly permissive. Test systems are rarely secure. It's a fact that hackers love to exploit.
Lessons learned: Either create bogus data for your test systems or harden test systems that contain real data as you would any production system.
Colossal security mistake No. 7: Using a corporate password on the Web at large
Hacking groups have been incredibly successful using people's website passwords to access their corporate data. Routinely, the victim is phished with an email that purportedly links to a popular website (Facebook, Twitter, Instragram, and so on), or the website itself has had its password database stolen. Either way, the bad guy has passwords that he bets people use elsewhere, including with company assets. Time to poke around and see what kind of access that earns.
Sign up for Computerworld eNewsletters.