NBN Co's poor document security enabled document leaks that could have been avoided
- 26 May, 2016 09:18
Ongoing leaks of sensitive documents at national broadband network (NBN) builder NBN Co were avoidable and highlight systematic failures in internal document controls, document-security specialists have warned as the fallout continues after the company was forced to call in the Australian Federal Police (AFP) for assistance.
Last December NBN Co management – concerned about their inability to identify the source of ongoing damaging leaks of internal documents highlighting cost blowouts and unexpected problems in the $50b+ national broadband network (NBN) project – called in the AFP to help isolate the source of the leaks.
Subsequent raids on the offices of Labor senator Stephen Conroy and the homes of two party aides made front-page news and raised questions about the Turnbull government's management of the project. Coming in an election campaign as it did, the raids did little to allay the public's fears that the massive NBN rollout was deeply troubled.
But they also highlighted inadequate document-management security in the part of NBN Co, says e-Safe Systems director of projects Rizwan Mahmood. “Whenever any leak happens it's always the internal people taking the data out,” Mahmood told CSO Australia. “The destructive force of an internal leak is many times more powerful than if someone had just taken some of your emails – but 95 percent of security investment is to stop unauthorised users. The technology has to revolve around the authorised user, and around his behaviour – and security should follow the information.”
The company, whose document-security tools alert executives whenever any user tries to print, distribute, or even open documents, has seen strong interest since Mahmood opened its Australian arm earlier this year. More tellingly, a key part of its customer engagement – an initial audit of user behaviour to highlight internal document-usage trends – has shown that Australia is in line with international benchmarks that suggest companies see one incident of insider data theft per 100 employees per month. This included a case where the tool identified that one user was accessing large volumes of files.
When the behaviour was pointed out to company management, it was revealed that the employee was about to leave the company – and the behaviour stopped immediately. In a company the size of NBN Co – which has more than 3600 employees – these behaviour patterns would translate to 36 insider incidents per month. And, as company management found out, tracing these incidents can cause major issues not only for the company, but for political stakeholders that include government ministers and the prime minister himself.
Tools for improving document control need to be as inobtrusive as possible while tightly controlling and monitoring user behaviour, but can easily be integrated with the Microsoft SharePoint environment used in NBN Co and many other companies.
While e-Safe Systems relies on a plug-in that monitors document activity, secure-collaboration vendor Intralinks generates unique encryption keys for every enterprise file and embeds the security directly into the file – meaning that access to that file can be revoked at any time by deleting the key, even if the file is leaked outside the organisation.
It's the kind of security that has helped Intralinks build a niche business providing secure, cloud-based environments in which the myriad parties in complex merger and acquisition negotiations can share their documents. And by positioning the company's VIA service as a more-secure alternative to the emerging cloud-storage market, says field chief technology officer Daren Glenister, businesses can lock down and monitor access and use of any document in their organisation. ”When you send a document outside, you have no control over it,” he explains. “But especially when you're collaborating with third parties and contractors, you need to have the ability to do that securely. Because we embed security into the document, we can unshare it and revoke access to those documents.”
Such controls offer far tighter control over enterprise documents than NBN Co seems to have been able to enforce over its internal documents, which have been repeatedly leaked in the years since prime minister Malcolm Turnbull assumed control of the project in his previous role as communications minister.
Fallout from the AFP raids continued into this week and NBN Co was forced to issue a terse media statement about its compliance with AFP instructions during the raids. Company executives have remained quiet in the wake of the raids, however.
While two staff were subsequently stood down in relation to the leaks, their repercussions will re-emerge after the election as Parliament considers claims of Parliamentary privilege asserted over the documents. The NBN Co leaks are the latest in a string of breaches of weak corporate security – recent breaches at Bluescope Steel, Glaxo Smith Kline and 'Panama Papers' law firm Mossack Fonseca are the latest examples – have highlighted the importance of dealing with insider security threats, which remain a major issue for companies of all stripes.
CSOs should be developing and formalising plans for dealing with insider threats, experts advise as study after study shows that they remain a major concern across businesses of all types: one SANS Institute-SpectorSoft survey found that 74 percent of 772 IT security professionals were concerned about malicious employees. Reports suggest that insider threats are the leading cause of security issues in many companies, yet many organisations still aren't increasing the budget to deal with them despite an emerging consensus about the importance of document controls in limiting exposure.
“Let the information owner, who actually understands the value of the information, check what is going on,” Mahmood says. “Only then will they be able to stop it. There is a lot more understanding of this now, but people are looking for a solution. If people realise that there are now tools available to address these kinds of issues, the market will just open up.”