While delivering his keynote address at the IT Compliance Institute's conference, cybersecurity author Dan Verton said malicious or not, an IT organisation faces an uphill battle when it gets down to protecting its assets. Old-fashioned IT perimeter defences have been rendered useless.
"Your security programmes, policies and procedures are failing miserably and you don't know it," Verton told his audience. "You might be spending millions on perimeter defence, and you have no perimeter."
When ignorance is not bliss
The criminal insiders' motivations are obvious, Verton said: They want to steal data.
Then there are the loyal, but unaware, employees who work around security policies and procedures in an attempt to be more efficient or download pornography, exposing the system to malicious code that could lead to a data breach.
According to Verton, malicious insiders often come from within a company's IT organisation - something no CIO wants to hear but can no longer afford to ignore.
"There's a psychological aspect to these employees that you have to pay attention to," Verton said. "They are people who say, 'This company doesn't know what it's doing.' They feel they own your network. These are individuals who are ripe for when you go through downsizing or layoffs - if they are on your list you have to put that into consideration when you're planning."
Verton said data must be protected even if it's behind a perimeter, such as a firewall. He said companies cannot rely on strict data access controls. Experts say a hardened perimeter security strategy is impossible to sustain.
"You have average users who are loyal, but they're handling data in such a way that it is distributed all over the enterprise unprotected." For instance, they may use web-based e-mail to send customers information about their accounts for expediency, even though the company may have a policy of sending such information through encrypted e-mail. A virus or worm that penetrates an organisation's perimeter security can then harvest that data.
"It comes down to creating a culture of security," Verton said.
Verton said organisations need effective policies for security. This means identifying key data assets and authorised network systems and devices. They must document and publish their policies and procedures that govern access and acceptable use of data.
He said organisations must also routinely scan for rogue wireless access points or unauthorised software. They must restrict or actively monitor the use of web e-mail, FTP and instant messaging and automate antivirus updates, vulnerability scanning and patch deployment. He added companies should also identify and deactivate all unnecessary processes and automate detection of changes to security settings.
"The fact that technology has become so ingrained into business and people use the technology as part of their everyday work habits, they don't think about what they are doing … such as sending an e-mail to a vendor with sensitive information in it," he said.
The analyst said awareness is the key to cutting down on non-malicious threats. "The only way to do that from an IT standpoint is to set out clearly what is right and wrong. This is what our company considers public and private, and here are some best practices to adhere to."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer