NBN Co's poor document security enabled document leaks that could have been avoided

Despite repeated leaks over many years, NBN builder still couldn't trace source of politically embarrassing documents

Ongoing leaks of sensitive documents at national broadband network (NBN) builder NBN Co were avoidable and highlight systematic failures in internal document controls, document-security specialists have warned as the fallout continues after the company was forced to call in the Australian Federal Police (AFP) for assistance.

Last December NBN Co management – concerned about their inability to identify the source of ongoing damaging leaks of internal documents highlighting cost blowouts and unexpected problems in the $50b+ national broadband network (NBN) project – called in the AFP to help isolate the source of the leaks.

Subsequent raids on the offices of Labor senator Stephen Conroy and the homes of two party aides made front-page news and raised questions about the Turnbull government's management of the project. Coming in an election campaign as it did, the raids did little to allay the public's fears that the massive NBN rollout was deeply troubled.

But they also highlighted inadequate document-management security in the part of NBN Co, says e-Safe Systems director of projects Rizwan Mahmood. “Whenever any leak happens it's always the internal people taking the data out,” Mahmood told CSO Australia. “The destructive force of an internal leak is many times more powerful than if someone had just taken some of your emails – but 95 percent of security investment is to stop unauthorised users. The technology has to revolve around the authorised user, and around his behaviour – and security should follow the information.”

The company, whose document-security tools alert executives whenever any user tries to print, distribute, or even open documents, has seen strong interest since Mahmood opened its Australian arm earlier this year. More tellingly, a key part of its customer engagement – an initial audit of user behaviour to highlight internal document-usage trends – has shown that Australia is in line with international benchmarks that suggest companies see one incident of insider data theft per 100 employees per month. This included a case where the tool identified that one user was accessing large volumes of files.

When the behaviour was pointed out to company management, it was revealed that the employee was about to leave the company – and the behaviour stopped immediately. In a company the size of NBN Co – which has more than 3600 employees – these behaviour patterns would translate to 36 insider incidents per month. And, as company management found out, tracing these incidents can cause major issues not only for the company, but for political stakeholders that include government ministers and the prime minister himself.

Tools for improving document control need to be as inobtrusive as possible while tightly controlling and monitoring user behaviour, but can easily be integrated with the Microsoft SharePoint environment used in NBN Co and many other companies.

While e-Safe Systems relies on a plug-in that monitors document activity, secure-collaboration vendor Intralinks generates unique encryption keys for every enterprise file and embeds the security directly into the file – meaning that access to that file can be revoked at any time by deleting the key, even if the file is leaked outside the organisation.

It's the kind of security that has helped Intralinks build a niche business providing secure, cloud-based environments in which the myriad parties in complex merger and acquisition negotiations can share their documents. And by positioning the company's VIA service as a more-secure alternative to the emerging cloud-storage market, says field chief technology officer Daren Glenister, businesses can lock down and monitor access and use of any document in their organisation. ”When you send a document outside, you have no control over it,” he explains. “But especially when you're collaborating with third parties and contractors, you need to have the ability to do that securely. Because we embed security into the document, we can unshare it and revoke access to those documents.”

Such controls offer far tighter control over enterprise documents than NBN Co seems to have been able to enforce over its internal documents, which have been repeatedly leaked in the years since prime minister Malcolm Turnbull assumed control of the project in his previous role as communications minister.

Fallout from the AFP raids continued into this week and NBN Co was forced to issue a terse media statement about its compliance with AFP instructions during the raids. Company executives have remained quiet in the wake of the raids, however.

While two staff were subsequently stood down in relation to the leaks, their repercussions will re-emerge after the election as Parliament considers claims of Parliamentary privilege asserted over the documents. The NBN Co leaks are the latest in a string of breaches of weak corporate security – recent breaches at Bluescope Steel, Glaxo Smith Kline and 'Panama Papers' law firm Mossack Fonseca are the latest examples – have highlighted the importance of dealing with insider security threats, which remain a major issue for companies of all stripes.

CSOs should be developing and formalising plans for dealing with insider threats, experts advise as study after study shows that they remain a major concern across businesses of all types: one SANS Institute-SpectorSoft survey found that 74 percent of 772 IT security professionals were concerned about malicious employees. Reports suggest that insider threats are the leading cause of security issues in many companies, yet many organisations still aren't increasing the budget to deal with them despite an emerging consensus about the importance of document controls in limiting exposure.

“Let the information owner, who actually understands the value of the information, check what is going on,” Mahmood says. “Only then will they be able to stop it. There is a lot more understanding of this now, but people are looking for a solution. If people realise that there are now tools available to address these kinds of issues, the market will just open up.”

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Institutenbn coAFPSpectorSoftleaksdata protectioncyber securityNBNdocument leaksMalcolm Turnbulldocument management

More about Australian Federal PoliceCSOFederal PoliceIntralinksMicrosoftNBN CoSANS InstituteVIA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts