When it comes to internal security threats there are two types of employees -- those who mean to do it, and those who haven't a clue. Both are equally dangerous.
While delivering his keynote address at the IT Compliance Institute's conference on Monday, cybersecurity author Dan Verton said malicious or not, an IT organisation faces an uphill battle when it gets down to protecting its assets. Old-fashioned IT perimeter defenses have been rendered useless.
Verton, who authored The Insider: A True Story, said companies need to use technology to enforce security procedures that thwart malicious insiders and protect against threats from loyal employees who take a lax approach to policies.
When ignorance is not bliss
The criminal insiders' motivations are obvious, Verton said: They want to steal data.
Then there are the loyal, but unaware, employees who work around security policies and procedures in an attempt to be more efficient or download pornography, exposing the system to malicious code that could lead to a data breach.
According to Verton, malicious insiders often come from within a company's IT organisation -- something no CIO wants to hear but can no longer afford to ignore.
"There's a psychological aspect to these employees that you have to pay attention to," Verton said. "They are people who say, 'This company doesn't know what it's doing.' They feel they own your network. These are individuals who are ripe for when you go through downsizing or layoffs -- if they are on your list you have to put that into consideration when you're planning."
Verton said data must be protected even if it's behind a perimeter, such as a firewall. He said companies cannot rely on strict data access controls. Experts say a hardened perimeter security strategy is impossible to sustain.
"You have average users who are loyal, but they're handling data in such a way that it is distributed all over the enterprise unprotected." For instance, they may use Web-based email to send customers information about their accounts for expediency, even though the company may have a policy of sending such information through encrypted email. A virus or worm that penetrates an organisation's perimeter security can then harvest that data.
"It comes down to creating a culture of security," Verton said.
Verton said organisations need effective policies for security. This means identifying key data assets and authorised network systems and devices. They must document and publish their policies and procedures that govern access and acceptable use of data.
He said organisations must also routinely scan for rogue wireless access points or unauthorised software. They must restrict or actively monitor the use of Web email, FTP and instant messaging and automate antivirus updates, vulnerability scanning and patch deployment. He added companies should also identify and deactivate all unnecessary processes and automate detection of changes to security settings.
An IT executive for the security department of a major U.S. retailer, who asked not to be identified, said the loyal insider as a security threat is a growing problem. He said such people have become just as common as insiders with malicious intent.
"The fact that technology has become so ingrained into business and people use the technology as part of their everyday work habits, they don't think about what they are doing … such as sending an email to a vendor with sensitive information in it," the executive said.
The analyst said awareness is the key to cutting down on nonmalicious threats. "The only way to do that from an IT standpoint is to set out clearly what is right and wrong. This is what our company considers public and private, and here are some best practices to adhere to."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer
This was first published in October 2006