Employee Confidentiality Breach

Problem Statement

ABC*, a company that provided architecture landscape design services to

their clients, encountered an employee breach of confidential issue. This

problem came to light when it suddenly began missing service requests from

customers.

This company received several landscape designs orders from customers in

other countries. It mostly had a workforce of forty people. Its information

systems assets included fifty devices, forty of which were PCs, five standard

switches, four servers, and one ISP router.

This firm suddenly began losing virtually final orders from long-term

reliable clients one day. As a result, the organization director demanded that

the situation be investigated as soon as possible after receiving this information.

Following an examination, he discovered that his competitor had provided a

comparable package at a cheaper consultation fee than the organization at the

last minute.

When the director got proposal drawings from his client that allegedly

appeared similar to his organization designs, his suspicions regarding private

data theft from his organization information systems grew. The director

suspicion was based on assumptions about the status of all employees in the

organization, along with one employee resignation a few weeks earlier. He

found it impossible to determine who was responsible for the organization

private data theft because all workers had full access to the internet and personal

emails. As a result, the director decided to undertake more inquiries into this

problem and called SOC Shashwat for additional consultation.

This ABC* organization lacked suitable policies matched with ISO27001

information security management standards, as well as proper documentation

for information security risk management. As a tiny firm, the corporation did

not need its workers to sign a business non-disclosure agreement (NDA),

placing the organization business in danger.

As a result, following the investigation, SOC Shashwat advised the firm on

how to establish security measures for the organization, such as ISO27001

compliance. We developed ISO27001-compliant security policies for the firm,

along with security risk assessment paperwork, and deployed numerous security

measures that were missing from the organization information systems.

As a result, the issue demonstrates how quickly a dissatisfied employee

might take secret information from a business that lacks robust information

system security. Furthermore, this issue illustrates how a dissatisfied employee

might utilize this organization sensitive knowledge, resulting in a loss of

business clients to rivals.

Inspection

SOC Shashwat took up this investigation case in response to the

organization email suspicion investigation request.

SOC Shashwat mostly interrogated the director, who voiced reservations

about five individual workers. We decided to begin by looking into the

computers of five questionable employees named by the organization director.

Initially, we discovered that the employees had unrestricted internet access

and that no websites were banned. Later, when we examined the organization

network design, we noticed that there was no firewall security placed between

the internet and the internal network. This was the first red signal, making the

entire organization information technology assets highly susceptible to

attackers.

During our investigation, we discovered that the company employee

system USB had not been banned, and that shared folder data of the

corresponding department was freely available to practically everyone in the

business. This second red flag indicated that it was simple for a dissatisfied

employee to take and misuse the organization private information. As a result,

the organization data security breach was quite simple. This organization

security flaw advantage was exploited by a resigned employee, which we

discovered later when doing forensics on the suspicious organization

employee system.

We discovered that the resigned employee had transmitted the organization

secret proposal material to his email account by signing on to his email address

while doing forensics on the suspected organization employee system. We

confirmed this using forensic tool logs and reports. It was a perfect match when

the design files provided from the resigned employee system were compared

to the low-cost proposal drawing obtained by the organization director from

his client.

During the inquiry, a third red flag was discovered: a USB port was open on

all of the organization employee systems, and several undesired logical ports

were open in the network. Furthermore, it was discovered that neither this firm

nor its workers had articulated their information security rules, nor had they

been required to sign non-disclosure agreements with disciplinary punishment

for violation of confidentiality.

Therefore, three significant severe red flags were detected and reported

throughout the inquiry phase, demonstrating that the company lacked

fundamental information systems security and ISMS compliance for managing

sensitive data. Furthermore, this instance demonstrated the negative

repercussions of giving employees free access to an organization private

information.

Interpretation

SOC Shashwat stated the resources necessary to safeguard his organization

information systems following the resuscitation of the organization business

needs and the expectations of the organization director. We also advised him

on how to obtain information security resources such as firewalls and servers.

We advised him to include a condition requiring the return of the association

prosperity in the worker NDA agreement and to include ISMS continuous

improvement in the firm process to maintain strong data security. Then, we

worked with this organization to develop its information security strategy,

action plans to handle risks and opportunities, and tasks for planning and

improvement.

As part of our remedial action, we changed the organization network by

installing two servers, a firewall and blocking unauthorized ports. One server

was set up for FTP, while the other was set up for DMZ. Then, we established

the organization end-user policy, restricted specified websites, and enabled the

log monitoring function in the firewall to capture ongoing behavior. In addition,

we disabled all workers system USB ports and set their workstations to store

data directly on the FTP server to maintain a clear desktop policy. Furthermore,

we established usernames and passwords with forced passwords constantly

being updated for each employee under the FTP server storage policy to prevent

unauthorized access. In addition, we set up an offline backup security system to

back up the organization data every week. In addition, we recommended that

the director of this organization receive system/network security and firewall

configuration awareness training from our firm.

As a result of this deployment, the business will be able to secure and

prevent the theft of secret information while also becoming ISO27001

compliant. It will also assist the business in producing supporting evidence

during ISO27001 audits, management reviews on ISMS, identifying

improvements, and acting while following the corrective action guide in the

event of a security incident.