Security special report: The internal threat

Careless staff can pose a real danger to company networks. John Kavanagh finds that solutions range from educating users to drastic restrictions on their internet access


Careless staff can pose a real danger to company networks. John Kavanagh finds that solutions range from educating users to drastic restrictions on their internet access

IT departments are spending fortunes to stop outsiders getting into their systems, but the biggest threat actually comes from people already inside: their own staff. This is highlighted by the Department of Trade and Industry’s Information Security Breaches Survey 2006, which shows that viruses – typically introduced by staff through a mouse click – are the biggest cause of reported security incidents, followed by staff accessing inappropriate websites or surfing to excess in company time.

The good news is that there is a wealth of technology and human procedures to help beat the problem – but the bad news is that most companies seem to be turning a blind eye to the issues.

Criminal insiders are only a small part of the internal threat: the DTI survey and other research show that the problem is mostly down in one way or another to staff making personal use of the internet. Experts point out that such use puts the company’s network and systems at risk of virus infections, spyware and other attacks, wastes company time and resources, and potentially opens the organisation to lawsuits across a wide range of areas.

Much of the problem stems from human nature and ignorance, rather than from a desire to defraud. “Huge numbers of people kept infecting themselves over and over with a virus while trying to see a racy picture of tennis star Anna Kournikova that they thought they had received by e-mail,” said Pat Dunne, a director of security specialist Trend Micro.

Trend Micro’s research shows that 45% of UK users are not worried about security "because it is not my equipment". A European survey of 1,500 professional staff by anti-virus software specialist McAfee found that 62% “do not have a clue about IT security”.

Such attitudes and ignorance are increasingly dangerous as users become more mobile and sophisticated, and technology emerges that makes them more productive but demands greater awareness of security issues.

Portable data devices are a threat here. “As remote working becomes increasingly common and office and personal gadgetry grows – look at the proliferation of iPods – organisations face a security loophole,” said Andy Burton, chief executive of security company Centennial Software.

“Our research shows that 89% of employees connect a portable device to their company network at least once a week – and more than half of UK businesses have no controls to manage the use of removable media devices.”

People have been tricked into using an apparently abandoned USB loaded with a “friendly” Trojan by penetration testing company SecureTest: the software sent a message to the company but could have been a malicious virus. People in the security-conscious financial services industry loaded CDs handed out in the City of London in an exercise by training company The Training Camp, despite clear warnings printed on the CDs to check company guidelines before loading.

Instant messaging and web conferencing are also highlighted as threats as users latch on to the potential of the internet. More than 40% of UK users surveyed by web security specialist SmoothWall make private use of instant messaging while at work, and 61% use private Hotmail accounts.

More than 33% of people questioned by SmoothWall knew of porn being downloaded in their organisation and more than 30% said they downloaded music at work, to company equipment. Well over 20% spent more than an hour a day of work time on non-work web surfing – via the company network.

The legal risks alone of such staff activity are highlighted by Struan Robertson, senior associate at IT law firm Pinsent Masons. They include possible copyright infringement if software, images, music and other material are downloaded from the web, sexual harassment claims from staff because of downloaded pornography, criminal action on illegal images such as child pornography, and staff claims of racism or bullying via e-mail.

Careless use of e-mail can cause problems, even if that use is apparently legitimate. Robertson said, “E-mail is less formal than a letter and sometimes little or no thought is given to confidentiality and security before clicking ‘send’. But the employer will be liable for any casual contract undertakings, inaccurate statements and defamation.”

Experts say all these different internal threats to IT security – and company reputation – whether deliberate, accidental, unthinking or through ignorance, can be countered by common methods, which boil down to three broad categories: education, enforced policy, and technology to ensure that policy is followed.

“Companies should offer continuous training and awareness programmes for all employees on steps they can take to minimise the risk of security threats,” said Paul King, senior security adviser at network specialist Cisco UK.

“Cisco staff are regularly asked to watch videos of just five to 10 minutes that explain measures they can take. As the sessions are very short, staff are happy to take part, and they tend to act on the information.”

King suggested that organisations can also have great success in using computer games to engage employees with subject matter that might otherwise seem dry. This can be a great way to get IT security training into busy employees’ schedules.

King said, “Keeping your company secure is not only the task of the IT manager, the firewall or the intrusion prevention system – it is also down to the individual.”

Companies are increasingly introducing a formal policy, covering acceptable personal use of the internet in particular. The number of UK companies with acceptable use policies has grown 150% in two years, according to the DTI survey, and 89% of large companies and 63% of all companies now have one.

“If employees have no rules or guidelines they will form their own views of what is and is not permissible,” said Robertson. “This makes it difficult for the employer to achieve a united approach, to maintain security and to take disciplinary action if necessary.”

Robertson recommended that companies decide the extent to which employees can use the internet and e-mail for personal purposes, and then set down the parameters clearly and specify the consequences of misuse.

There are different views on these parameters. Pornography can bring an employer problems in sexual harassment claims, but should access to sports sites be banned during the football world cup or an England cricket test series to stop staff wasting company time? How about shopping sites, holiday sites gambling services, Hotmail? Some experts suggest allocating a fixed amount of storage for legal personal use, or limiting access to Hotmail and other selected sites to half an hour at lunchtime.

Some talk of a company culture of trusting staff and expecting trust in return. Others take an opposite hard line.

“You can’t always rely on people’s trust and loyalty,” said Jason Creasey, head of research at user organisation the Information Security Forum. “For some employees the person they trust the least is their managing director, and they may not care if he goes to prison or if the company loses money.”

Companies should strictly enforce their policies or totally restrict personal use, said SmoothWall managing director George Lungley. He said, “Our research shows that companies are not enforcing internet usage policies. We recommend locking down corporate networks to all but essential business applications and strictly controlling access to non work-related websites during working hours, to ensure legal compliance, avoid time wasting and prevent the risk of malicious spyware and virus infections.”

Monitoring can actually benefit staff, said Denis Zenkin, a director of InfoWatch, which specialises in protecting networks from internal threats. He said, “Employees can be reassured that the company they work for is safeguarded against confidential leaks and hence possible damage to its reputation or financial loss – and that protects jobs. Monitoring can also protect employees against false accusations.”

Even though most companies now have policies, only a minority enforce them, according to the DTI study. More than 40% of the worst security incidents involved staff accessing inappropriate sites, yet 60% of companies do not block access to such sites. Only 17% scan outgoing e-mails for inappropriate content.

Products in these and other areas are now readily available, and others are emerging. There are products to monitor individual staff access to websites and to block access to specified categories of sites, such as pornography and weapons.

Pornography can be detected and blurred beyond use. E-mail content, including attachments, can be scanned. Products can keep check on who sends and receives large numbers of e-mails, monitor instant messaging, restrict the use of portable data storage devices and scan networks for new devices and software. Password management can help keep check on “superusers” such as administrators with blanket access, or temporary staff or people who have left the company.

Protection at data and application levels, right down to individual SQL statements, is emerging from some start-up companies, including a UK company called Secerno which is building on research carried out by Oxford University.

“There are myriad software products available," said Creasey. “The answer is not to rely on policy alone, but to take away much of the control from the user.”

King added, “The enemy within is unlikely to be a masked assassin or a cybercriminal mastermind, but an ordinary user who takes down the network with a simple click on an e-mail attachment.”

Case study: Boots keeps tabs on clinical data

Pharmaceuticals firm Boots Healthcare International is a Documentum customer. Using Documentum, BHI is able to create, compile and share dossiers around its various teams without compromising security.

In order for its products to be licensed for sale within the European Union, BHI is obliged to submit a dossier of detailed pharmaceutical and clinical information about the products to national regulators. Those dossiers can consist of anything from one folder, to tens of thousands of pages, depending on whether the product is a new formulation or a modification of an existing drug.

Using Documentum, BHI can restrict access to documents by project teams, providing authors with write access but restricting reviewer privileges. Previously, documents might be stored on the network, on local hard drives and even on floppy discs.

By improving the document auditing process, BHI can not only manage document versions, but also keep track of who has reviewed and approved each document.

“There might be different versions of dossiers for different markets, and we need to know who has had what version and what they have done to it,” said Mark Clinton, who handled the Documentum implementation for BHI’s Department of Regulatory Affairs.

Read: Security special report: The changing threat

Read: Security special report: Who sees your data?

Read: Security special report: Compliance quandary

Read: Security special report: Accessing all areas

Read: Security special report: Fingertip security

Read more on IT risk management