We know that employees and internal attacks are a major nemesis to good cybersecurity. But what do you do if someone from the inside has alerted you to a major vulnerability that could cost the company millions or could put thousands of innocent people at risk for identity theft? Would you reward that person? Would you fix the vulnerability? Would you brush it off, perhaps with a false promise that the problem will be corrected? And then what would you do if the person followed up to make sure something had been done?
I ask because I read an article today about a Montreal college student who, while developing a mobile app meant to assist his fellow students in accessing their records, found a major flaw in the school’s computer system. This flaw put the personal information of approximately 250,000 people at risk. The student alerted authorities on campus, who, according to the article, seemed grateful for the heads up.
But then the student went rogue. He decided to check the system to see if it was fixed. It wasn’t, but the “check” was flagged as a cyber attack and the student was expelled.
Based on what I’ve read about this story, I think the young man made some serious mistakes in the way he followed up. First of all, he supposedly only waited two days before checking to see if the problem was fixed. I worked in academia for many years and I have some good friends who work with the computer networks in academic settings. I can tell you from experience that nothing in a university setting gets corrected in two days. Secondly, deciding to sneak in on the system to check was the wrong way to go about it. True, it may have been the only way he would have gotten a straight answer about whether or not the problem was addressed, but going behind everyone’s backs is not the way to go.
On the other hand, my community has been witness to the consequences of not following up to a concern in a timely manner, so I can understand why the young man wanted to make sure the problem was resolved so quickly. However, now the focus of the story is on the young man who was expelled for the cyber attack, rather than the fact that he a) may have helped avert a major breach and b) that this should be a reminder to college campuses everywhere to keep on top of the security of data storage.
I think the story should also provide dialogue within enterprise, as well. We want employees to be well educated on cybersecurity and its risks, and that should mean also being able to recognize when there is a problem. Do your employees feel like they can approach security and/or IT executives to alert them of a problem? And if they do, can they expect to be taken seriously and the problem be given a timely response? Do you have a protocol in place to deal with cybersecurity whistleblowers?