Don't let disgruntled staff land you in court

A recent survey conducted by PricewaterhouseCoopers on behalf of the DTI found that 90% of larger firms had a malicious security...

A recent survey conducted by PricewaterhouseCoopers on behalf of the DTI found that 90% of larger firms had a malicious security incident over the past year.

Most attacks were caused either by viruses or "inappropriate" use of IT systems by staff. The average cost of an incident for a larger company was £120,000.

In a recent survey conducted by Novell, 6% of ex-employees who lost their jobs because of an unpleasant termination or lay-off sought revenge against their ex-employer by planting a logic bomb or deleting critical files. Another 4% said they would release a virus on their employer's network if they had the chance.

Many such problems currently get swept under the carpet, but in the future you might have to stand up in court and explain why the company's published financial results are inaccurate, or private data was compromised. "Unauthorised access" will not be a defence if you allowed it to occur.

In the US, legislation such as Sarbanes-Oxley provides for criminal and civil penalties against the officers of companies who fail to take action to protect the integrity of information. In Europe the legislation is potentially equal to this, if not greater

These staff-related security problems can be potentially remedied with user provisioning software. Users are granted the minimum access requirements they need to do their job and when they leave, access can be immediately disabled. All user administration transactions can be audited so as due diligence can be proven.

Some user provisioning packages will also track physical and intangible assets, such as laptops, mobile phones or home telephone lines. When users leave the company, their access to these applications is not only disabled, but a report of the items that need to be reclaimed or cancelled is produced.

Neil Chaney is managing director at Open Systems Management

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close