He greeted me with lots of enthusiasm while he opened the door of the office for me to come in. I hardly noticed him and did not even respond to his greetings. I knew I had a busy day ahead of me and who really cares about a Janitor anyway? I was so focused on the report I got about a leak of some confidential data in our organization. The thoughts in my head were like this:
- “We need a new Data loss prevention (DLP) system and that would cost us so much. How will I convince senior management that the expense is justifiable?”
- “This is definitely an insider attack, possibly sponsored by one of our competitors in the Pharma industry. I can definitely think of a few names; but how in the world can we prove anything?”
- “I am sure it’s someone from R& D that has been orchestrating the data exfiltration using steganography, instant messaging, or some other covert channel. We must search attached files in all emails sent out from the R&D department, but that would take so much time and resources which we cannot accommodate in this year’s budget.”
These were some of the thoughts floating in my mind as I walked past the Janitor. Who would blame me for not paying any attention to him with all that I had going on? How is a janitor important to our organization with all that we have to deal with? Maybe taking out some trash would reduce the smell from the basement, but who goes to the company’s basement anyway?
Who is the janitor?
Harry, the janitor had worked for our Company for about 5 years and this guy knew everyone in the R&D department by name. He held the door for them (had physical access to the room where systems with critical data were located.
He sometimes got them coffee and when the R&D team left on launch break, he was there in their offices cleaning up (had physical access to the systems).
Harry was more powerful and influential in our company Thank I thought.
There was a denial of service attack against one of our major databases so the incident response team working with an external security subject matter expert chose to review the logs review of the CCTV camera. They saw Harry going through the trash in the R&D department, taking pictures of documents and keeping some papers in his pockets as he was throwing out the trash.
We had never paid much attention to the dangers of dumpster diving or shoulder surfing in our organization.
It happened that the janitor whom I did not respect or thought much about, has cost our company thousands of dollars.
We had to pay for an external penetration test which cost about $70,000. The report from the test revealed gaps in our access controls for critical systems and the recommendations cost us an addition $120,000 to implement.
You should pay more attention to your janitors; you don’t know which one would be another Harry.