Bank of America shows the need for effective provisioning
When I was younger, with one foot on the corporate career ladder (before I subsequently fell off, permanently) we had what I thought was an American joke: if you came into the office in the morning and your desk was bare – no phone, no computer, no nothing – you’d been sacked. But it wasn’t a joke. It was the physical effect of material de-provisioning; and a necessary part, along with the security guard escorting you off the premises, of letting people go.
Somewhere, with the evolution of the cyber office, we have forgotten the importance of de-provisioning – of cancelling online accounts, removing passwords and restricting access immediately on termination. There is a second line of defence. It’s the courts; and Bank of America has won a court injunction temporarily blocking use of its data by four ex-employees.
Bank of America Corp. won a court order temporarily blocking four former employees from using and sharing the bank’s client records at their new employer, New York-based Dynasty Financial Partners.
Bank of America Wins Order, Ex-Workers Can’t Take Data
The problem is that this smacks rather of stable doors and horses, or genies and bottles. The courts are no alternative to adequate staff provisioning and de-provisioning. Kurt Johnson, vice president of strategy & corporate development at Courion, whose AccountCourier product does just this, comments:
This is not just another “employee gone bad” story; it’s a reminder to companies that if the proper access controls and monitoring tools are not put in place to protect sensitive data, they could suffer significant financial and operational losses.
Companies need to be one step ahead of a departing employee. In letting these staff members go, all administrative controls should have been shut off and changed immediately so that there was no opportunity to gain access to these sensitive files. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities. For example, the Ponemon Institute has reported that 59 percent of terminated employees admitted to stealing confidential company information so the Bank of America is not alone. Implementing an automatic de-provisioning process is the only way to confidently avoid glaring lapses in security when your company’s data stores are vulnerable to attack.