Information security: A stronger staff

Changing user behaviour through security policies and education is key to combating IT-based threats

Changing user behaviour through security policies and education is key to combating IT-based threats

Sloppy computer hygiene by staff is exposing companies to security breaches and financial loss. External attacks are now so frequent and so sophisticated that companies are looking to staff policy to ensure that employees do not become the weakest link and inadvertently open up networks to criminals.

According to the Department of Trade & Industry's Security Survey, 66% of businesses suffered a security breach during 2004, compared to just under 50% in 2002. Most businesses attributed these breaches to inappropriate use of information systems by staff.

The theory that staff are the weakest link is supported by a Websense Security Labs report which found a 300% increase in attacks as a result of instant messaging and malicious websites in the first quarter of 2005, compared with the fourth quarter of 2004.

A tiny proportion of employees use e-mail and corporate networks for criminal purposes, and so companies are rightly beginning to worry more about the negligent insider than the malicious insider.

Fifty per cent of businesses blame their end-users for damage caused by virus attacks, according to a report from the Institute of Directors. And a report from independent business and IT analyst Quocirca shows that nearly 80% of IT and business managers see human error or disgruntled employees as a major risk to corporate data.

Naughty or just plain ignorant behaviour includes visiting untrustworthy websites, opening dodgy-looking e-mails or going to chatrooms. Any of these activities can let a virus through the firewall or allow a device to be compromised.

The consequences of negligence can be profound. "As well as financial loss to the company, a users' machine can unwittingly be enlisted for a drone army and used for denial of service attacks," explains Richard Cox, member of the not-for-profit Spamhaus organisation, which is dedicated to stamping out internet breaches.

In this climate of multiple and ongoing security breaches, security advisers recommend that policy forms the bedrock for robust defence. "It is too much to expect users to understand the complexities of internet security threats. But it's not too much to expect them to follow a few simple rules," says Cox.

Chris Potter, partner at professional services firm PriceWaterhouseCoopers, says, "You need to have a security policy that is approved by senior management, communicated to everyone through staff inductions and embedded in everyday business activity."

DTI surveys show that companies are paying more attention to policy but surprisingly few have policies in place: about 66% of large corporations and 33% of UK companies overall.

It is relatively easy to draw up a security policy for staff. "Anyone can get hold of a bog- standard policy," says Guy Lamb, a partner at international law firm DLA Piper Rudnick.

He recommends large corporations customise to meet any special requirements and ensure it reflects the corporate culture. Importantly, however, a security policy should be treated the same as any other staff policy, says Lamb.

"Employees are subject to contract of employment. Employers are free to set out rules of engagement and this extends to IT policies."

Companies that have a policy in place must remember that is its effectiveness depends on staff knowing about it. Royal Mail spends a modest amount on security - about 0.5% of the IT budget compared to the 4% average reported in the DTI annual survey - yet it is delivering increasingly robust levels of security because it focuses on education, says director of information security David Lacey.

"Whether it is control procedures or technology: if you leave it alone it just disappears. You have to keep refreshing the awareness of your workforce and your customers," he says.

"Once you get into the citizen space, that is a very broad population to engage with." Consequently, Lacey had to find methods more imaginative than the run-of-the-mill training used by most companies.

An example of a successful security campaign at Royal Mail was an online security quiz in the run-up to Easter. Prizes of luxury Easter eggs were awarded to staff providing correct answers, which could all be found in the security tips and guidelines on the company intranet. Traffic reached peak rates of 10,000 hits a day.

"Induction courses are a bit of a luxury. We are more interested in finding low-cost, high-impact ways of getting our message across," says Lacey.

Education may be the key to making a company's security policy effective but there will always be a few bad apples who flout the rules, warns Simon Janes, international operations director at computer forensics firm Ibas and a former detective with Scotland Yard's Computer Crime Unit.

"No matter what policies and procedures you put in place, things are going to happen," he says. For the minority intent on fraud or other criminal activity, it is essential that a company has instant response policies in place.

Janes cites the case of a company that was defrauded by an IT malcontent who was skimming £1,000 a month through false e-mail accounts he had set up.

The company had questioned the person about the redundant accounts 18 months prior to detection but he had an excuse and the company had not investigated further. Eighty per cent of major frauds run for 18 months before they are discovered, says Janes.

"Whenever there is an untoward incident, the process needs to be applied," says Janes. "In this way, any investigative action can never be construed as personal, or racially or sexually motivated. It is policy."

He also counsels companies to ensure policy is a two-way thing: provision must be made in an employee's terms and conditions, but an employer has to consider its staff's human rights and expectations of privacy.

Investigation of potential breaches of security policy calls for delicate handling. A policy should state if any kind of monitoring takes place by the company, says Lamb, and if some kind of misdemeanour is suspected, it is important to take a staged approach.

"There may be a strong temptation to allow IT staff to have a rummage around. Evidentially, it is very important that information on a computer system has not been tampered with by investigators," Lamb says.

Clear rules of engagement and policies for investigation are all the more important as new portable storage devices make the pilfering of company data, or the negligent introduction of a virus, easier. "A few years ago, people were disabling the A drive, ensuring they were read-only, but the availability of small, removable media and standardised ports creates an issue people have to address," says Janes.

Technology advances and a connected world make close management of all personnel a crucial aspect of securing data and IT networks. Yet the interface between IT and human resources departments can be a vulnerable area, says John Meakin, group head of information security at Standard Chartered Bank.

"The availability and accuracy of data about people is critical: it is the starting point for anything to do with access control. And yet many organisations do not have a single, consolidated record of staff."

Standard Chartered takes staff vetting seriously and applies this especially rigorously to its offshore operations in Asia and Africa. "We are aware of the different cultures there and any susceptibility to coercion this may impose on staff in those locations," says Meakin. To date he has detected no higher level of threat in offshore operations.

By contrast, Potter says relatively few companies perform background checks on their staff at the point of recruitment. According to a survey carried out by PricewaterhouseCoopers, just 43% of companies follow up references, and 33% do not do any checks at all.

Knowing people are who they say they are is perhaps the most basic rule of security but one that gets ignored by many companies. "We do a lot of walking into buildings to test security and you would be amazed at how easy it is," says Rob Pope, technical director at SecureTest consultancy.

"We spent three and a half hours in one client's building. It would have been simple to plant a key logger on a server on the back of a PC. People were very helpful: it's not inherent in peoples' nature to challenge," he says.

Before the opening up of the internet, 80% of hacks on a network were from staff, says Meakin. The arrival of the internet inverted this and has propagated huge volumes of external attacks. The best way to keep this threat at bay is to shore up defences from the inside by managing staff more closely.

Read more on IT risk management