IT | Security

Insider Data Breach at Google

By: Absolute Team | 9/17/2010

Google is company that is so successful that its name has become a verb. Start-ups admire Google and competitors want to be them. But this week hasn’t been one of Google’s happiest after they had to “dismiss” an engineer for “breaking Google's strict internal privacy policies” (you can read more here). The breach was compounded by the fact that it came from the inside, from an employee that needed to access sensitive data in order to do his job. This employee was trusted by the organization.

So what did Google do wrong? Could this situation have been avoided? At this point it’s hard to say. We know that Google had been conducting security audits on their logs, but we don’t know how frequently these audits occurred or if there were other tools and procedures in place to monitor their employees. Did Google underestimate internal threats? Did they put too much trust in their employees and forget about the ‘human factor’ that is all too often the reason behind a data breach?

As it stands, we don’t have the answers to any of these questions (yet), but there is a lesson to be learned here for all business owners. And that lesson is: don’t be the next Google. There is no better time than the present to take a close look at the systems that you have in place to prevent a data breach.  Have you identified all of the vulnerabilities within your organizations (including your employees)? Do the systems that you have in place address all of these potential threats?

When it comes to preventing a breach, there is no single solution. All organizations that work with sensitive data and information need to take a layered approach to securing both their devices and the data stored on them. This approach needs to include:

  • Training for staff (both new staff as well as existing team members)
  • Frequently scheduled audits (of both devices and logs)
  • Internal policies and procedures (and an immediate action plan that can be enacted if a breach occurs)
  • Security software that can help to manage and protect both data and hardware (from internal and external threats)

Finally, it’s critical for organizations to communicate these procedures to employees. If an employee knows that their activities are being monitored on a regular basis, they may be less likely to abuse or misuse the information that they have access to. Every employee at your organization needs to be aware of security policies and procedures.  IT security staff needs to be trained properly so that they can manage security software successfully. Organizations need to think of their security policy as if it was a well-oiled machine, and in order for that machine to run properly every cog needs to be maintained and running simultaneously.

What security procedures does your organization have in place to prevent breaches?  When it comes to security, are you taking a layered approach?  Let’s discuss best practices in the comments.