the implementation of technology, there are many common design issues that essentially automate loss. Programming errors can cause the crash of major computer systems. If this happens to a financial institution, transactions can be blocked for hours. If it happens to an airline's schedule systems, planes can be grounded until the problem is resolved.
People maintaining systems fail to properly maintain and update them for a variety of reasons. Trucks that are not properly maintained will break down. Computers that are not properly maintained may crash or be more easily hacked. Such was the case with the Equifax hack. As we described earlier, one administrator failed to update one system, which allowed the criminals into their infrastructure. Other failings, including a simple maintenance function of renewing a digital certificate, which is essentially paying a fee, caused the data breach to go undetected. No end user initiated a loss in this case, but other people initiated the loss through their actions, and as we explained in Chapter 2, anyone who interacts with the system should be considered to be a user who can initiate loss.
Another category of loss that many professionals fail to consider is the disposal of equipment. Just about all technology seems to have local storage. Before an organization discards computers, they generally know to remove the storage drives. Many people know that they should delete everything on their cellphones. However, many organizations and individuals fail to consider that the same diligence should apply to printers, copy machines, and other devices that had access to the organization's network or data.
If a loss results from the decisions, actions, or inactions of a person, it is a loss that you have to consider in your risk reduction plans, and that includes loss that relates to design and maintenance.
User Enablement
While you can expect end users to make mistakes or be malicious, you do not have to enable the mistakes or malice. Unfortunately, some technology teams are doing exactly that. It is a given that users have to be able to perform their required business functions. However, you can design a user's access and function to limit the amount of loss they can initiate.
As we discussed earlier, McDonald's eliminates the possibility for cashiers to steal or miscount money by removing the cashier from the process. Similarly, ransomware is a constant problem for organizations, but that problem can be greatly reduced by not providing users with administrator privileges on their computer systems. Without administrator privileges, new software, even malicious software, cannot be installed on a computer.
There are limits to any measures that you employ to reduce user enablement. Some malware can bypass administrator privileges. While the elimination of cashiers eliminates risk of cashier theft, it also increases the risk posed by the people maintaining the kiosks, including those who count the cash collected by the kiosks. Even so, there is a significant reduction in the overall risk.
Just as users rarely need administrator privileges on their computers, they are frequently provided with much more technological access and capability than they require to do their jobs. In one extreme example, Chelsea Manning was a U.S. Army intelligence analyst in an obscure facility in Iraq. Manning was allowed to download massive amounts of data from SIPRNet, which is a communications network used by the U.S. Department of Defense and U.S. Department of State for data classified up to the SECRET level. Manning had access to data well beyond what her job function required. Some might argue that Manning's excessive access was part of an effort to ensure intelligence analysts had access to needed information and that compartmentalization of data was a contributing factor in the 9/11 failures. However, in the case of Manning, such access was not implemented with the appropriate security controls (see abcnews.go.com/US/top-brass-held-responsible-bradley-mannings-wikileaks-breach/story?id=12276038). After all, the United States has been dealing with insider threats since Benedict Arnold. Examples like Manning's excessive information access are not unique to the military, and they're often even worse in commercial organizations.
In college, author Ira Winkler worked for his college's admissions office and was responsible for recording admission statuses in the college's mainframe computer. He realized that he also had menu options that provided access to the school registrar's system, which maintained grades. Although he never abused the access, you can assume that other people were not as ethical. You can also assume that many people in other university offices with access to legitimate functions also had excessive access privileges. As you can see, such information access is a combination of both technology and process.
In short, any time a user is provided with the ability to access information or perform tasks more than is required for their work, there is a risk to potentially be contained. Sometimes, expanded information access and enhanced capabilities can help empower people to do their jobs more effectively. Empowering users to succeed while reducing loss is always about finding the right balance. For example, there is no reason for employees to have access to other people's PII, unless their job specifically requires such access.
Shadow IT
Shadow IT is a term for computing equipment, software, and access that is unknown to the IT department. It is typically acquired and introduced outside of the organization's normal process. It may or may not be purchased through the use of organizational funds.
One example is people's choices of laptops. Some people prefer to use Macs, as opposed to corporate PC-compatible systems, and they purchase a Mac directly and use it as their primary system. The problem is that the Mac systems are generally unknown to the IT department and will not be maintained per organizational standards. For example, if the Mac is lost, there will not be an ability to remotely erase company data on the system.
Shadow IT also includes software. Users add software to their personal and corporate devices that has not been vetted by the organization. Frequently, the organization has made a conscious choice not to use the software because of a variety of issues, including adherence to regulations, security requirements, and proper maintenance and patching. In one of the most notorious cases, Jared Kushner, advisor to President Trump, installed and used WhatsApp to communicate with foreign leaders. (See “Jared Kushner's Use of WhatsApp Raises Concerns Among Cybersecurity Experts,” CNN, www.cnn.com/2019/03/23/politics/kushner-whatsapp-concerns/index.html.) WhatsApp violates the law in that it does not adhere to record-keeping requirements.
Additionally, while communications may be encrypted, there are a variety of security concerns. Shadow IT systems may not be patched properly or have updated anti-malware software, which puts the whole organization at risk. If the employee leaves the organization, nobody knows to collect the system or at least delete the organizational data on the system.
In one case we are familiar with, which is not uncommon for organizations, an employee was unhappy with the available Internet access bandwidth, as well as the fact that his access was both filtered and monitored, so he had a new Internet connection installed in a corporate office. This created a rogue connection that bypassed the organization's security posture and created a backdoor for outside criminals.
Another case of Shadow IT is the use of online storage systems, such as Box, Dropbox, and Google Drive. Users frequently use third-party services to perform their jobs and bypass obstacles. Some services might not have strong security. Either way, the organization loses control of its information once it's placed on the servers and they are not otherwise aware of it.
Shadow IT includes aspects of both user enablement and design and maintenance. Because the infrastructure has to allow for rogue devices, no matter the source, it is a network maintenance issue. Because organizations are directing that IT departments allow users to bring their own personal devices to work, it is a form of user enablement. One typical example of this is that organizations want employees to use their own cell phones
