Somehow it seems that the concept of treating other peoples’ property with the same care that you treat your own seems alien, even in the family. So I guess it should not come as a great surprise that other peoples’ sons and daughters are exactly the same. And every business is full of other peoples’ sons and daughters. So it only seems logical that somebody has to be mother in any business – double checking that the backdoor is locked.
As we discovered in a recent survey not only are backdoors left open but frequently although people know they are open they can’t be bothered closing them – after all they might need access themselves at some point. More than a third of people interviewed admitted that they still had backdoor access to their old employers’ data and a quarter of those interviewed knew that former colleagues could access – and yet they did nothing about it – My family would be proud of them!
How serious can a backdoor be? The recent example of a large global retailer who was "hacked" for several months, maybe a couple of years, resulting in huge amounts of customer data going out the "backdoor" - they may never know just how much the lost – is clearly just the tip of the iceberg – unless the other 99.99% of those with backdoor access are only keeping their backdoor access out of some sentimental reason. One reason why one could suspect that it might have been a former employee is the quote from the company – "We believe that the intruder had access to the decryption tool for the encryption software utilized.." – Now either they are using the worst encryption tool ever invented in which case they have duty to name the supplier, or more likely somebody "accidentally" managed to access the recovery keys – or maybe it was supposed to be encrypted. Like the recent incident with a UK bank, "The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed."
What these two incidents point is that many organizations need to seriously address the issues of how to protect sensitive data, and how to control privileged access to systems. Simply encrypting sensitive data is of little use if those who manage the systems where the data is kept have uncontrolled access. Conversely, protecting the privileged password is all well and good but if the user can access highly confidential data, without leaving any trace, after gaining access to the password then it defeats one of the major purposes of protecting privileged accounts.