Protecting Against M&A, Layoff Vulnerabilities Tricky but Possible


I've covered this topic more than once since the economy went from very bad to scary awful, but it bears much repeating: There is going to be a lot of chaos during the next few months -- layoffs and mergers -- and security staffs need to pay a lot of attention to keep data safe. Ideally, it is a good idea to do this long before the layoffs or mergers start.


That's the message. This post is about what to do about it. Processor says that it is important to track which assets each employee can access. This is a bigger job than it seems and must be done in a systematic way before the employee is let go. Passwords to group or shared accounts must be tracked. That's tricky, of course, because those passwords are assigned to a group of people. They should be changed when an employee has been given notice or is told that he or she will be laid off days or weeks before it actually happens. This lets the company track whether the person is trying to reach into areas in which he or she shouldn't tread.


The most effective way to guard passwords is to establish a structure to protect them while the employee still is with the company. The piece is followed by sidebars that provide tips on preventing insider attacks and a checklist for a departing employee.


This IDG piece in The New York Times begins with a troubling vignette: A manager at Pilz left one company to work for a rival and took a lot of valuable information with him. The only thing that saved his original employer was the competitor's honesty. The suggestions: Watch people who suddenly work long hours, seek access to corporate information not necessary for their jobs and who make more printouts than usual. It is a good idea to keep an eye out for troubled employees who may be receptive to pitches from crooks. The story also suggests appropriate electronic safeguards and, for good measure, ends with two or three more scary stories.


In the cases of mergers and acquisitions, security concerns must be handled while the IT department is busy with a tremendous number of other things. Indeed, security only is mentioned at the end of this piece, which looks at some of the things that must be done by an IT staff going through the M&A process. The staffs must synchronize financial and human resource data and merge the underlying IT systems. The piece says that synchronizing the financial data is the biggest issue. The last thing these folks have time to worry about is renegade current or laid off employees. So it's vital to have robust and comprehensive policies and technical hardware and software systems in place.


These threats exist today in big enterprises -- and in the city of Clarksville, TN. The Leaf Chronicle reports that an external security audit there revealed that employees retained access after termination and that password standards were not adequate. The audit looked at the city in general, the gas and water department and the energy department. It found that denial of access rights was not completed quickly enough at all three levels and recommended that the system be adjusted. The audit also found that encryption was inadequate. Officials said that steps would be taken to rectify the situation.