The SME Audit findings show that security problems are as
much internal as they are external. What are the latest security
threats that you should be aware of? What can you do to prevent
them affecting your business? David Bicknell
reports.
The perception for
many organisations from the publicity and “noise” devoted to
viruses and hacking is that most threats to IT security are from
external sources. Yet in reality the threat is much greater from
inside the organisation.
The majority of
computer network vulnerability comes from a company’s own employees
– either by accident or through malice.
As shown in the
SME Audit, organisations, perhaps like yours, with one to 49 and
50-199 staff, are more concerned about the external threats from
viruses and hackers than those posed by insiders.
According to the
CERT Co-ordination Centre at Carnegie Mellon University in the US,
an “insider intrusion” is any compromise of a network, system or
database that is committed by someone who has – or used to have –
legitimate access to the network, system or data. Such “insiders”
can include current and former employees, part-time employees,
business partners, consultants and contractors.
How big is this
insider problem? The 2003 Computer Crime and Security Survey,
compiled by the Computer Security Institute and the FBI, found that
62% of respondents reported a security incident involving an
insider, up from 57% in 2002.
Misuse and
abuse
Potential threats
come from various sources, and threats coming from inside your
organisation can be especially costly because the perpetrator has
greater access and insight as to where sensitive and important data
resides.
Insider threats
can include misuse and abuse of critical and sensitive data and
computing assets. Whether it is a deliberate act of sabotage
initiated by a disgruntled employee, or an innocent mistake made by
a well-meaning worker who has an inappropriate level of access to a
critical system, the impact caused by compromised, stolen, damaged,
or deleted data can be considerable.
A study released
earlier this year by Novell, Stanford University and Hong Kong
University, offered the following examples of insider threats:
- An employee at an investment bank – now working for a
competitor – was able to access her voicemail months after she had
left, giving her access to internal banking announcements.
- A temp at a software company was able to create an account by
merely calling a secretary, allowing the temp the ability to edit
and download the company’s sales-lead database.
- According to survey respondents, it is common to share
passwords among users for even the most critical systems, such as
ERP applications.
Peter Scargill,
national IT chairman at the Federation of Small Businesses, is
acutely aware that a lot of companies of your size simply lack the
experience to contend with the onslaught of technology. Most do not
have an IT specialist, let alone an IT department. Software
updates, particularly operating system updates, or antivirus
definitions, are a real issue with smaller firms because of the
time and effort required, not to mention the cost, of keeping
up-to-date.
If you are a
larger organisation using IT, such updates are part of the job.
But, Scargill suggests, if computers are “simply black boxes you
use to get the job done, you could be forgiven for wondering why
there seems to be an ‘urgent’ update almost every day”.
And yet there is a
need for security policies – often driven by an IT department – if
the organisation is not to face an internal threat.
So, just as you
should plan for disaster recovery and back-up their data, you
should equally make a realistic assessment of the main threats to
your business and plan around them.
According to Wendy
Grossman’s book, The Daily Telegraph Small Business Guide to
Computer Networking: “If the entire amount of data a competitor
would need to copy and undermine your business would fit on a
floppy disk or portable storage device, and that data is accessible
from anywhere on your network, and your networked machines have no
passwords and are accessible to anyone wandering in, then you have
more urgent concerns than hackers on the Internet.“
Remember, a
disaffected employee – and everyone has had disaffected employees
at some time – could walk out of your building with enough data to
cause your firm huge problems.
Physical security
is too often overlooked. Most people leave their workstations and
wander off around the building while still logged on to the
network. That means anyone who wants to has access to the corporate
network.
Many organisations
also make the mistake of granting new employees access to all areas
of the network and then remove the rights to areas they don’t use.
Ideally, the opposite policy should apply. Close all access to your
network and open up only those areas that the employee will
need.
As an indication
of what happens when data is accessed internally, it is worth
considering what sort of data is stored on computers within your
organisation, and how important that data is. This includes
customer databases; orders; invoices; employee information; and
employee medical records.
All this data can
be stolen simply by copying, and you will probably have no idea
what’s gone until it’s used against you. Such theft of data is not
easily detectable, so prevention is better than cure. So, how can
you protect yourself from insider threats?
1
Create an effective security policy. This applies equally to
smaller companies as larger ones. Make sure all users are aware of
the policy, and educate them about the risks involved in allowing
others to have access to their accounts and passwords. Alert them
to the dangers of “social engineering”, whereby intruders seek to
gain access to information by preying on users’ lack of suspicion,
such as email that purports to be from a friend, and is accompanied
by an attachment containing a virus. The recent increase in
“spyware” – software that covertly gathers and transmits data about
a machine’s usage – demonstrates that no computer linked to the
Internet is immune.
2
Make sure employees get access only to the data and systems they
need access to. This may sound basic, but it’s not unusual for
employees to have 10 to 20 times more access to resources than they
need to do their jobs.
3
If “trusted relationships” with outside contractors call for them
to access your network, make sure the access is designated only for
the specific services required. You can even provide contract and
temporary workers with network accounts that have automatic ‘stop
dates’, after which they cease to function.
4
Establish a thorough, documented procedure for handling the way
employees’ employment is ended. A good policy should state clearly
how to disable employees’ access to information systems. The
Novell/Stanford/Hong Kong University study found that nearly
half of companies surveyed take longer than two days – perhaps up
to two weeks – to revoke the network access of terminated
employees.
5
Enforce your policy. Once a security policy is in place, you must
ensure the policy is being followed, and any security violations
evaluated to ensure no events recur.
Martin Smith,
managing director of The Security Company, believes that to counter
internal threats, which can range from simple mischief-making to
“white-collar sabotage” or fraud and industrial espionage,
companies must create an “anti-fraud culture”, led from the top,
and with contingency plans in place for fraud and security
incidents. “You should accept that it could happen to you. But you
can minimise the likelihood of that by analysing risks, identifying
your most valuable assets, establishing routines at the end of work
to ensure all office equipment is locked and secured, understanding
that insiders are the greatest threat, specifying controls,
allocating responsibilities and by enforcing and monitoring
security.”
Where to
go for more information
BT Martin Pang, ICT marketing manager at BT,
suggests many companies like yours don’t have a clear IT strategy,
and you may only adopt technology when pushed. To help, BT offers a
range of services, including data back-up (Datasure), and an
Internet Security Pack featuring anti-virus updates and a personal
firewall. You can find out more by visiting
www.bt.com/sme.
Federation
of Small Businesses (FSB) Peter Scargill, National IT
Chairman, at the FSB believes that viruses remain a worry for most
SMEs, and though you may well be equipped to handle them, you may
not understand why you might be affected, or how viruses and
anti-virus software work. The FSB offers a series of Internet
security and data back up services, such as xdrive. See
www.fsbinternet.co.uk
Institute
of Directors (IoD) Jonathan Cummings, director of
e-business at the Institute of Directors suggests e-business
adoption means users are often not in control of the boundaries of
their systems, and are consequently more vulnerable. The IoD’s
policy focus is to get its members aware of threats, including
internal ones, and not demonstrate a “couldn’t happen to me”
attitude. The tendency of small businesses to share experiences and
learn from each other is useful, he believes. Visit
www.iod.com for Directors’
Briefing policy advice on issues such as Internet Security, E-mail
Policies and IT Disaster Prevention.
Symantec’s US site –
www.symantec.com/smallbiz/library/insider.html
– offers sound advice on inside threats.
Microsoft offers a series of Small Business
products at
http://www.bcentral.com/products/
Wendy
Grossman’s book, The Daily Telegraph Small Business Guide
to Computer Networking, is available from
www.amazon.co.uk
Click here for SME supplement homepage Part Three >>
Click here for SME supplement homepage Part Two >>
Click here for SME supplement homepage Part One >>
Click here for Part Three of the SME supplement
>>
BT SME Month >>