For higher-ranking employees, "you immediately
provide an escort to that person's office. If
that person has personal information on the
laptop, you tell him that you will download that
information and send it to him. But you do not
let him walk out of that building with a
laptop."
On the day that Circuit City had to terminate
700 corporate employees, Stinde kept tabs on the
proceedings via an instant messaging program.
"I could see that as folks … packed up their
personal belongings, someone in IT security
would revoke the associates' access, and
immediately their access was withdrawn and they
dropped out of my instant messaging program," he
says. "Every access point, their passwords,
their e-mail addresses, their VPN log-ins — all
were eliminated immediately."
Identifying zombies
Framingham, Mass.-based Courion is a provider of
solutions that help companies ensure that
employees have access to only that data required
to perform their jobs, says vice president of
strategy and corporate development Kurt Johnson.
Such applications help retailers automate
processes that can be time-consuming and result
in undetected risks if performed manually.
Used by retailers like Staples, Office Depot and
REI, Courion's AccountCourier and
ComplianceCourier applications create strong
controls by identifying all user accounts and
access points, verifying whether that access is
acceptable and appropriate and automating
remediation and corrective action. This helps
retailers identify what are technically known as
"zombie accounts," access points that continue
to exist even after people have left an
organization.
"Zombie accounts are the IT equivalent of the
living dead," Johnson says. "They increase the
potential for some unauthorized person to access
that account and steal or manipulate key data."
Johnson says it is not uncommon for a typical
employee to have 10 or 15 user name/password
combinations. Without an automated process,
"there is no central place to go to find all the
access points," he says, "and turning off
network access does not necessarily turn off
access to all accounts So if you have
disgruntled people being laid off, you're
vulnerable and at a huge risk."
(In April 2008, undetected zombie accounts
created a major legal problem for LendingTree,
an Internet service that connects borrowers and
lenders. The company reported that former
employees were illegally accessing mortgage
applications and even selling user names and
passwords to mortgage lenders. The data breach
harmed the credit scores of numerous consumers
and prompted several class-action lawsuits.)
Clearly-stated policy
While the cost of identity management varies by
the number of users, in many instances
"companies can get an ROI in less than a year,"
Johnson says. Companies that are liquidating
would only need to automate the disenabling
process, not the compliance management of
ongoing accounts.
In addition to cutting off all access points, it
is critical for retailers to have a
clearly-stated policy that informs employees
from the moment they are hired that theft of any
kind, including intellectual theft, will be
prosecuted, Rogers says.
Among other processes, Circuit City's IT
security software had the ability to prevent the
e-mailing of personal data like Social Security
numbers; messages that include a series of
numbers are flagged as a potential breach. "That
simple process built into our e-mail
capabilities, along with our ability to spot
data extraction in real time, helped
tremendously," Stinde says. "Right away they
provided an alert, and immediately an IT person
would respond."
Circuit City's IT security team took additional
precautions to protect consumer data. "Even
though we were no longer a go-forward company,
we understood the impact that stolen data would
have had on customers who had been good to us
over the years and to our estate," Stinde says.
There were increased incidents of credit card
fraud at POS during the closings, but its
exception-based POS security measures allowed
Circuit City's LP team to spot and, in most
cases, resolve the cases early. |
