Whether you think of Edward Snowden as a hero or a traitor, one thing’s clear: It’s critical to protect your own organization’s data, so you may want to learn what the NSA did wrong that allowed Snowden to gather and disseminate top secret information. According to various reports (e.g., www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html?_r=0), Snowden used web crawler software to scrape the classified secrets he wanted. Amazingly, he was caught with this software, but no effective action was taken, even though he was confronted a few times about his activities. Being a contractor at a facility that was last to get state-of-the-art security measures implemented, he was able to fall through the cracks. Afterwards, it was found that the software he used to glean information contained saved settings to scan for various forms of top-secret information.
Here are some lessons to consider:
- When possible, implement new security measures at all sites simultaneously. Don’t leave any weak links.
Make sure that security measures cover everyone working with your internal data, including regular employees, contractors, and third-party companies.
- If you find that employees have installed unauthorized software capable of scraping information from your servers that’s unnecessary for them to do their jobs, it’s important to take the situation very seriously.
- If suspicious software is installed, audits may help detect unwarranted activities.
- Make sure you have a plan about what to do when security policies are violated. It’s important to be fair and not overly paranoid, but it’s also no use catching a problem but not following up with appropriate action.