In the aftermath of the great data heist by Edward Snowden, the computer specialist who stole top secret information from the National Security Agency and leaked it to The Guardian earlier this summer, CIOs are feeling a little helpless.
"People are saying that if it happens to the NSA, which must have incredible tools to prevent people from leaking data yet still leaks on a grand scale, we better be really careful," says Jeff Rubin, vice president of strategy and business development at Beachhead, a mobile security company.
New breed of rogue employee roams the network
Snowden represents a new kind of rogue employee or contractor: a tech-savvy millennial armed with personal computers who can spirit away highly sensitive data. CIOs will have to deal with this threat sooner rather than later. The old thinking of relying on encryption to safeguard data just won't suffice in today's corporate computing environment.
The 29-year-old Snowden hatched a plan to swipe data from arguably one of the safest organisations on the planet. His age is significant because he's symbolic of today's millennial, a 20-something tech worker flooding corporations across the country. In the US, millennials are poised to make up the largest segment of the workforce by 2015, according to the US Bureau of Labor Statistics.
Two-thirds of millennials assess their technology acumen as "cutting edge" or "upper tier," according to CompTIA. Snowden, who once described himself as a "computer wizard," not only gained access to sensitive data, he communicated with the media using encrypted email under the codename Verax.
For CIOs, the warning is clear: Your next rogue employee may be good at finding ways around your best-laid security plans.
Social engineering and tech savvy a dangerous combo
While there's no questioning Snowden's technical chops - after all, he worked at contractor Booz Allen Hamilton as a computer specialist - Rubin doubts Snowden relied on technical skills alone to do what he did. Rather, Rubin believes Snowden employed social engineering tactics to gain access to computers and download data to thumb drives and, eventually, his personally owned computers.
"My guess is he went to NSA employees, said he was there to work on their computers and needed access to them, and gained their trust," Rubin says. "He may have even gone as far as telling them, 'You may get a notice on your screen that there's some sort of intrusion, but that's just me so don't be alarmed'."
The idea that Snowden probably used his personal computers and thumb drives should also be alarming to CIOs, especially in the age of BYOD, says Rubin. With BYOD, mobility and cloud storage services such as Dropbox now common, the chances of corporate data leaking out is higher than ever.
In fact, one of Beachhead's customers recently reversed its BYOD policy because of the security risks. If an employee now wants an iPad, for instance, the company will buy and manage it instead of allowing the iPad to be a part of a BYOD programme. They're saying, We don't feel we have our act together to really allow this," Rubin says.
Encryption not enough
Another lesson CIOs can learn from Snowden is the need for multi-layer security, or automatic triggers for wiping data. Many companies rely on encryption to keep their data safe, yet once a rogue employee gains the password, encryption is worthless.
Rubin says the Snowden case highlights the need for triggers that eliminate data beyond a geo-fence or after a certain number of incorrect logins or amount of time.
Also, companies might want to look into multi-factor authentication and data access controls to prevent rogue workers like Snowden from seeing data in the first place, Rubin says.
Given Snowden's ability to steal from the NSA, coupled with the rise of both the tech-savvy millennial and BYOD, CIOs are sensing a loss of control over corporate data.
"It's happening too fast," says Rubin. "I think companies are a little paralysed."