<< Back to article Print this page Loading page, please wait...

How the Snowden Effect Is Paralyzing CIOs

Whether you describe Edward Snowden as a hero or a criminal, theres no denying the impact that this self-described computer wizard is having on IT leaders. After all, if even the NSA can fall victim to a tech-savvy millennial, how can they defend their data?

Tom Kaneshige (CIO (US))
21 August, 2013 17:31

In the aftermath of the great data heist by Edward Snowden, the now-infamous computer specialist who stole top secret information from the National Security Agency and leaked it to The Guardian earlier this summer, CIOs are feeling a little helpless.

"People are saying that if it happens to the NSA, which must have incredible tools to prevent people from leaking data yet still leaks on a grand scale, we better be really careful," says Jeff Rubin, vice president of strategy and business development at Beachhead, a mobile security company.

There's little doubt CIOs are reeling from the Snowden effect. A New Breed of Rogue Employee Roams the Network

Snowden represents a new kind of rogue employee or contractor: a tech-savvy millennial armed with personal computers who can spirit away highly sensitive data. CIOs will have to deal with this threat sooner rather than later. The old thinking of relying on encryption to safeguard data just won't suffice in today's corporate computing environment.

The 29-year-old Snowden hatched a plan to swipe data from arguably one of the safest organizations on the planet. His age is significant because he's symbolic of today's millennial, a 20-something tech worker flooding corporations across the country. Millennials will make up the largest segment of the workforce by 2015, according to the U.S. Bureau of Labor Statistics.

Two-thirds of millennials assess their technology acumen as "cutting edge" or "upper tier," according to CompTIA. Snowden, who once described himself as a "computer wizard," not only gained access to sensitive data, he communicated with the media using encrypted email under the codename Verax.

For CIOs, the warning is clear: Your next rogue employee may be good at finding ways around your best-laid security plans.

Social Engineering and Tech Savvy a Dangerous Combo

While there's no questioning Snowden's technical chops-after all, he worked at contractor Booz Allen Hamilton as a computer specialist-Rubin doubts Snowden relied on technical skills alone to do what he did. Rather, Rubin believes Snowden employed social engineering tactics to gain access to computers and download data to thumb drives and, eventually, his personally owned computers.

"My guess is he went to NSA employees, said [he was there] to work on their computers and needed access to them, and gained their trust," Rubin says. "He may have even gone as far as telling them, 'You may get a notice on your screen that there's some sort of intrusion, but that's just me so don't be alarmed.'"

The idea that Snowden probably used his personal computers and thumb drives should also be alarming to CIOs, especially in the age of BYOD, says Rubin. With BYOD, mobility and cloud storage services such as Dropbox now common, the chances of corporate data leaking out is higher than ever.

In fact, one of Beachhead's customers recently reversed its BYOD policy because of the security risks. If an employee now wants an iPad, for instance, the company will buy and manage it instead of allowing the iPad to be a part of a BYOD program. They're saying, We don't feel we have our act together to really allow this," Rubin says.

Encryption Is Not Enough

Another lesson CIOs can learn from Snowden is the need for multi-layer security, or automatic triggers for wiping data. Many companies rely on encryption to keep their data safe, yet once a rogue employee gains the password, encryption is worthless.

Rubin says the Snowden case highlights the need for triggers that eliminate data beyond a geo-fence or after a certain number of incorrect logins or amount of time.

Also, companies might want to look into multi-factor authentication and data access controls to prevent rogue workers like Snowden from seeing data in the first place, Rubin says.

Given Snowden's ability to steal from the NSA, coupled with the rise of both the tech-savvy millennial and BYOD, CIOs are sensing a loss of control over corporate data.

"It's happening too fast," says Rubin. "I think companies are a little paralyzed."

Tom Kaneshige covers Apple, BYOD and Consumerization of IT forÃ'Â CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + andÃ'Â LinkedIn. Email Tom at tkaneshige@cio.com

Read more about security in CIO's Security Drilldown.