Research suggests that disgruntled former employees are a growing source of such security breaches. While it is impossible to guarantee absolute protection, many organisations put themselves needlessly at risk by failing to take basic precautions. There are now widely-documented examples of technical best practice for implementing systems in ways that minimise the risk.
One good example for systems that legitimately allow external access, like the FSS system, is the use of ring-back. Instead of allowing users to log-in directly from an external location, the host computer, on detecting an attempt to log-in externally, asks for authentication from the user, ends the call and rings the user back on a number authorised for that user.
More importantly, organisations need to take people-related security issues more seriously. It is well documented that people are the weakest security link, and even the most secure systems can be breached if people-related issues are neglected.
In tough trading conditions many firms lay off staff because of mergers or downsizing. With IT now playing a critical role in most organisations, IT staff or people with access to core IT systems may have the power to do tremendous damage. While most would not dream of exercising this power, it only takes one.
Security should be considered as a matter of course whenever an organisation embarks on change that affects staff. All too often simple things, such as changing passwords when staff leave, are neglected. It may mean taking more time to make the change, and it may increase the cost , but the cost of not taking these risks seriously, both from direct losses and the longer-term damage to reputations, can be far greater.
This was first published in December 2002