The perception for many organisations from the publicity and “noise” devoted to viruses and hacking is that most threats to IT security are from external sources. Yet in reality the threat is much greater from inside the organisation.
The majority of computer network vulnerability comes from a company’s own employees – either by accident or through malice.
As shown in the SME Audit, organisations, perhaps like yours, with one to 49 and 50-199 staff, are more concerned about the external threats from viruses and hackers than those posed by insiders.
According to the CERT Co-ordination Centre at Carnegie Mellon University in the US, an “insider intrusion” is any compromise of a network, system or database that is committed by someone who has – or used to have – legitimate access to the network, system or data. Such “insiders” can include current and former employees, part-time employees, business partners, consultants and contractors.
How big is this insider problem? The 2003 Computer Crime and Security Survey, compiled by the Computer Security Institute and the FBI, found that 62% of respondents reported a security incident involving an insider, up from 57% in 2002.
Misuse and abuse
Potential threats come from various sources, and threats coming from inside your organisation can be especially costly because the perpetrator has greater access and insight as to where sensitive and important data resides.
Insider threats can include misuse and abuse of critical and sensitive data and computing assets. Whether it is a deliberate act of sabotage initiated by a disgruntled employee, or an innocent mistake made by a well-meaning worker who has an inappropriate level of access to a critical system, the impact caused by compromised, stolen, damaged, or deleted data can be considerable.
A study released earlier this year by Novell, Stanford University and Hong Kong University, offered the following examples of insider threats:
- An employee at an investment bank – now working for a competitor – was able to access her voicemail months after she had left, giving her access to internal banking announcements.
- A temp at a software company was able to create an account by merely calling a secretary, allowing the temp the ability to edit and download the company’s sales-lead database.
- According to survey respondents, it is common to share passwords among users for even the most critical systems, such as ERP applications.
Peter Scargill, national IT chairman at the Federation of Small Businesses, is acutely aware that a lot of companies of your size simply lack the experience to contend with the onslaught of technology. Most do not have an IT specialist, let alone an IT department. Software updates, particularly operating system updates, or antivirus definitions, are a real issue with smaller firms because of the time and effort required, not to mention the cost, of keeping up-to-date.
If you are a larger organisation using IT, such updates are part of the job. But, Scargill suggests, if computers are “simply black boxes you use to get the job done, you could be forgiven for wondering why there seems to be an ‘urgent’ update almost every day”.
And yet there is a need for security policies – often driven by an IT department – if the organisation is not to face an internal threat.
So, just as you should plan for disaster recovery and back-up their data, you should equally make a realistic assessment of the main threats to your business and plan around them.
According to Wendy Grossman’s book, The Daily Telegraph Small Business Guide to Computer Networking: “If the entire amount of data a competitor would need to copy and undermine your business would fit on a floppy disk or portable storage device, and that data is accessible from anywhere on your network, and your networked machines have no passwords and are accessible to anyone wandering in, then you have more urgent concerns than hackers on the Internet.“
Remember, a disaffected employee – and everyone has had disaffected employees at some time – could walk out of your building with enough data to cause your firm huge problems.
Physical security is too often overlooked. Most people leave their workstations and wander off around the building while still logged on to the network. That means anyone who wants to has access to the corporate network.
Many organisations also make the mistake of granting new employees access to all areas of the network and then remove the rights to areas they don’t use. Ideally, the opposite policy should apply. Close all access to your network and open up only those areas that the employee will need.
As an indication of what happens when data is accessed internally, it is worth considering what sort of data is stored on computers within your organisation, and how important that data is. This includes customer databases; orders; invoices; employee information; and employee medical records.
All this data can be stolen simply by copying, and you will probably have no idea what’s gone until it’s used against you. Such theft of data is not easily detectable, so prevention is better than cure. So, how can you protect yourself from insider threats?
1 Create an effective security policy. This applies equally to smaller companies as larger ones. Make sure all users are aware of the policy, and educate them about the risks involved in allowing others to have access to their accounts and passwords. Alert them to the dangers of “social engineering”, whereby intruders seek to gain access to information by preying on users’ lack of suspicion, such as email that purports to be from a friend, and is accompanied by an attachment containing a virus. The recent increase in “spyware” – software that covertly gathers and transmits data about a machine’s usage – demonstrates that no computer linked to the Internet is immune.
2 Make sure employees get access only to the data and systems they need access to. This may sound basic, but it’s not unusual for employees to have 10 to 20 times more access to resources than they need to do their jobs.
3 If “trusted relationships” with outside contractors call for them to access your network, make sure the access is designated only for the specific services required. You can even provide contract and temporary workers with network accounts that have automatic ‘stop dates’, after which they cease to function.
4 Establish a thorough, documented procedure for handling the way employees’ employment is ended. A good policy should state clearly how to disable employees’ access to information systems. The Novell/Stanford/Hong Kong University study found that nearly half of companies surveyed take longer than two days – perhaps up to two weeks – to revoke the network access of terminated employees.
5 Enforce your policy. Once a security policy is in place, you must ensure the policy is being followed, and any security violations evaluated to ensure no events recur.
Martin Smith, managing director of The Security Company, believes that to counter internal threats, which can range from simple mischief-making to “white-collar sabotage” or fraud and industrial espionage, companies must create an “anti-fraud culture”, led from the top, and with contingency plans in place for fraud and security incidents. “You should accept that it could happen to you. But you can minimise the likelihood of that by analysing risks, identifying your most valuable assets, establishing routines at the end of work to ensure all office equipment is locked and secured, understanding that insiders are the greatest threat, specifying controls, allocating responsibilities and by enforcing and monitoring security.”
Where to go for more information
BT Martin Pang, ICT marketing manager at BT, suggests many companies like yours don’t have a clear IT strategy, and you may only adopt technology when pushed. To help, BT offers a range of services, including data back-up (Datasure), and an Internet Security Pack featuring anti-virus updates and a personal firewall. You can find out more by visiting www.bt.com/sme.
Federation of Small Businesses (FSB) Peter Scargill, National IT Chairman, at the FSB believes that viruses remain a worry for most SMEs, and though you may well be equipped to handle them, you may not understand why you might be affected, or how viruses and anti-virus software work. The FSB offers a series of Internet security and data back up services, such as xdrive. See www.fsbinternet.co.uk
Institute of Directors (IoD) Jonathan Cummings, director of e-business at the Institute of Directors suggests e-business adoption means users are often not in control of the boundaries of their systems, and are consequently more vulnerable. The IoD’s policy focus is to get its members aware of threats, including internal ones, and not demonstrate a “couldn’t happen to me” attitude. The tendency of small businesses to share experiences and learn from each other is useful, he believes. Visit www.iod.com for Directors’ Briefing policy advice on issues such as Internet Security, E-mail Policies and IT Disaster Prevention.
Symantec’s US site – www.symantec.com/smallbiz/library/insider.html – offers sound advice on inside threats.
Microsoft offers a series of Small Business products at http://www.bcentral.com/products/
Wendy Grossman’s book, The Daily Telegraph Small Business Guide to Computer Networking, is available from www.amazon.co.uk
This was first published in December 2003