Everywhere I’ve worked I’ve recommended background checks on employees along with drug screens and a robust set of policies and procedures. 

It’s not the most fun thing to do.  I generally dislike a lot of policy and procedure.  It’s annoying and it sets a tone I don’t really like.  However, take a look at the security breach at LendingTree and you’ll see why these things are necessary.

In short, employees from the company gave their passwords to unscrupulous individuals who then accessed account data of clients using the service.

This is a tough hacker approach to defend against.  Offer someone enough money and they are likely to be willing do most anything.  How much for info on Britney Spears’ medical records?  How much for a photo of a celebrity’s kids?  How much for a password?

You can’t control human behavior, but you can be aware of it.  If you run a shop with sensitive data and you hire people who have a criminal record, with huge debt, who maybe take drugs you increase the likelihood that those employees can be compromised via bribes or other approaches to illicit data access.

Performing background checks and drug screens help weed out potential risks.  Having robust security measures, frequently changing passwords and a termination workflow that makes sure account access is terminated in a timely fashion when an employee leaves the company all help ensure your data doesn’t become someone else’s data.

Routine review of access logs would also have helped catch the LendingTree problem more quickly.  If a user is suddenly accessing the system all hours of the day all days of the week it’s a fairly sure sign that that user’s account has been compromised.

A little bit of due diligence, however tedious or even slightly uncomfortable can go a long way to ensuring that your data remains secure.