Careless staff can pose a real danger to company
networks. John Kavanagh finds that solutions range from
educating users to drastic restrictions on their internet
access
IT departments are spending fortunes to stop outsiders getting
into their systems, but the biggest threat actually comes from
people already inside: their own staff. This is highlighted by the
Department of Trade and Industry’s Information Security Breaches
Survey 2006, which shows that viruses – typically introduced by
staff through a mouse click – are the biggest cause of reported
security incidents, followed by staff accessing inappropriate
websites or surfing to excess in company time.
The good news is that there is a wealth of technology and human
procedures to help beat the problem – but the bad news is that most
companies seem to be turning a blind eye to the issues.
Criminal insiders are only a small part of the internal threat:
the DTI survey and other research show that the problem is mostly
down in one way or another to staff making personal use of the
internet. Experts point out that such use puts the company’s
network and systems at risk of virus infections, spyware and other
attacks, wastes company time and resources, and potentially opens
the organisation to lawsuits across a wide range of areas.
Much of the problem stems from human nature and ignorance,
rather than from a desire to defraud. “Huge numbers of people kept
infecting themselves over and over with a virus while trying to see
a racy picture of tennis star Anna Kournikova that they thought
they had received by e-mail,” said Pat Dunne, a director of
security specialist Trend Micro.
Trend Micro’s research shows that 45% of UK users are not
worried about security "because it is not my equipment". A European
survey of 1,500 professional staff by anti-virus software
specialist McAfee found that 62% “do not have a clue about IT
security”.
Such attitudes and ignorance are increasingly dangerous as users
become more mobile and sophisticated, and technology emerges that
makes them more productive but demands greater awareness of
security issues.
Portable data devices are a threat here. “As remote working
becomes increasingly common and office and personal gadgetry grows
– look at the proliferation of iPods – organisations face a
security loophole,” said Andy Burton, chief executive of security
company Centennial Software.
“Our research shows that 89% of employees connect a portable
device to their company network at least once a week – and more
than half of UK businesses have no controls to manage the use of
removable media devices.”
People have been tricked into using an apparently abandoned USB
loaded with a “friendly” Trojan by penetration testing company
SecureTest: the software sent a message to the company but could
have been a malicious virus. People in the security-conscious
financial services industry loaded CDs handed out in the City of
London in an exercise by training company The Training Camp,
despite clear warnings printed on the CDs to check company
guidelines before loading.
Instant messaging and web conferencing are also highlighted as
threats as users latch on to the potential of the internet. More
than 40% of UK users surveyed by web security specialist SmoothWall
make private use of instant messaging while at work, and 61% use
private Hotmail accounts.
More than 33% of people questioned by SmoothWall knew of porn
being downloaded in their organisation and more than 30% said they
downloaded music at work, to company equipment. Well over 20% spent
more than an hour a day of work time on non-work web surfing – via
the company network.
The legal risks alone of such staff activity are highlighted by
Struan Robertson, senior associate at IT law firm Pinsent Masons.
They include possible copyright infringement if software, images,
music and other material are downloaded from the web, sexual
harassment claims from staff because of downloaded pornography,
criminal action on illegal images such as child pornography, and
staff claims of racism or bullying via e-mail.
Careless use of e-mail can cause problems, even if that use is
apparently legitimate. Robertson said, “E-mail is less formal than
a letter and sometimes little or no thought is given to
confidentiality and security before clicking ‘send’. But the
employer will be liable for any casual contract undertakings,
inaccurate statements and defamation.”
Experts say all these different internal threats to IT security
– and company reputation – whether deliberate, accidental,
unthinking or through ignorance, can be countered by common
methods, which boil down to three broad categories: education,
enforced policy, and technology to ensure that policy is
followed.
“Companies should offer continuous training and awareness
programmes for all employees on steps they can take to minimise the
risk of security threats,” said Paul King, senior security adviser
at network specialist Cisco UK.
“Cisco staff are regularly asked to watch videos of just five to
10 minutes that explain measures they can take. As the sessions are
very short, staff are happy to take part, and they tend to act on
the information.”
King suggested that organisations can also have great success in
using computer games to engage employees with subject matter that
might otherwise seem dry. This can be a great way to get IT
security training into busy employees’ schedules.
King said, “Keeping your company secure is not only the task of
the IT manager, the firewall or the intrusion prevention system –
it is also down to the individual.”
Companies are increasingly introducing a formal policy, covering
acceptable personal use of the internet in particular. The number
of UK companies with acceptable use policies has grown 150% in two
years, according to the DTI survey, and 89% of large companies and
63% of all companies now have one.
“If employees have no rules or guidelines they will form their
own views of what is and is not permissible,” said Robertson. “This
makes it difficult for the employer to achieve a united approach,
to maintain security and to take disciplinary action if
necessary.”
Robertson recommended that companies decide the extent to which
employees can use the internet and e-mail for personal purposes,
and then set down the parameters clearly and specify the
consequences of misuse.
There are different views on these parameters. Pornography can
bring an employer problems in sexual harassment claims, but should
access to sports sites be banned during the football world cup or
an England cricket test series to stop staff wasting company time?
How about shopping sites, holiday sites gambling services, Hotmail?
Some experts suggest allocating a fixed amount of storage for legal
personal use, or limiting access to Hotmail and other selected
sites to half an hour at lunchtime.
Some talk of a company culture of trusting staff and expecting
trust in return. Others take an opposite hard line.
“You can’t always rely on people’s trust and loyalty,” said
Jason Creasey, head of research at user organisation the
Information Security Forum. “For some employees the person they
trust the least is their managing director, and they may not care
if he goes to prison or if the company loses money.”
Companies should strictly enforce their policies or totally
restrict personal use, said SmoothWall managing director George
Lungley. He said, “Our research shows that companies are not
enforcing internet usage policies. We recommend locking down
corporate networks to all but essential business applications and
strictly controlling access to non work-related websites during
working hours, to ensure legal compliance, avoid time wasting and
prevent the risk of malicious spyware and virus infections.”
Monitoring can actually benefit staff, said Denis Zenkin, a
director of InfoWatch, which specialises in protecting networks
from internal threats. He said, “Employees can be reassured that
the company they work for is safeguarded against confidential leaks
and hence possible damage to its reputation or financial loss – and
that protects jobs. Monitoring can also protect employees against
false accusations.”
Even though most companies now have policies, only a minority
enforce them, according to the DTI study. More than 40% of the
worst security incidents involved staff accessing inappropriate
sites, yet 60% of companies do not block access to such sites. Only
17% scan outgoing e-mails for inappropriate content.
Products in these and other areas are now readily available, and
others are emerging. There are products to monitor individual staff
access to websites and to block access to specified categories of
sites, such as pornography and weapons.
Pornography can be detected and blurred beyond use. E-mail
content, including attachments, can be scanned. Products can keep
check on who sends and receives large numbers of e-mails, monitor
instant messaging, restrict the use of portable data storage
devices and scan networks for new devices and software. Password
management can help keep check on “superusers” such as
administrators with blanket access, or temporary staff or people
who have left the company.
Protection at data and application levels, right down to
individual SQL statements, is emerging from some start-up
companies, including a UK company called Secerno which is building
on research carried out by Oxford University.
“There are myriad software products available," said Creasey.
“The answer is not to rely on policy alone, but to take away much
of the control from the user.”
King added, “The enemy within is unlikely to be a masked
assassin or a cybercriminal mastermind, but an ordinary user who
takes down the network with a simple click on an e-mail
attachment.”
Case study: Boots keeps tabs on clinical
data
Pharmaceuticals firm Boots Healthcare International is a
Documentum customer. Using Documentum, BHI is able to create,
compile and share dossiers around its various teams without
compromising security.
In order for its products to be licensed for sale within the
European Union, BHI is obliged to submit a dossier of detailed
pharmaceutical and clinical information about the products to
national regulators. Those dossiers can consist of anything from
one folder, to tens of thousands of pages, depending on whether the
product is a new formulation or a modification of an existing
drug.
Using Documentum, BHI can restrict access to documents by
project teams, providing authors with write access but restricting
reviewer privileges. Previously, documents might be stored on the
network, on local hard drives and even on floppy discs.
By improving the document auditing process, BHI can not only
manage document versions, but also keep track of who has reviewed
and approved each document.
“There might be different versions of dossiers for different
markets, and we need to know who has had what version and what they
have done to it,” said Mark Clinton, who handled the Documentum
implementation for BHI’s Department of Regulatory Affairs.
Read:
Security special report: The changing threat
Read:
Security special report: Who sees your data?
Read:
Security special report: Compliance quandary
Read:
Security special report: Accessing all areas
Read:
Security special report: Fingertip security