The threat from within: in-house security is business' Achilles' heel

Modern working practices can expose companies to attack

Security is more than just a matter of putting IT systems in place. It requires broader thinking and an understanding of the way we do business in 2004 and how employees interact with the technology they use.

Although rarely intentional, employees are still likely to be a serious security liability, simply because our office working culture presents the greatest exposure to potential information security breaches.

This is not to say that businesses do not already take security seriously, and indeed some have it right at the top of their agenda. But many are missing a trick by only protecting themselves from threats from outside the company and ignoring internal influences.

There is a growing body of evidence to show that outside threats are increasing, but the State of Information Security 2004 study - a worldwide survey by CIO magazine and PricewaterhouseCoopers conducted in April - reports that nearly one in three security breaches are caused by employees. Poor internal practices are not just problems in themselves but can lead to vulnerabilities that can be exploited from outside. But how and why does this happen?

For many organisations, passwords are the greatest vulnerability. Easily guessable passwords are the quickest way into a system. Why should a hacker waste time looking for a complicated technical flaw when they can log in as a legitimate user? Often a senior manager's password can be found by lifting the keyboard and finding it written beneath.

Just as dangerous is the threat posed by ex-employees. Even in large companies, processes often do not exist to ensure access rights are removed immediately when people leave, resulting in many keeping their remote access to corporate systems - a particularly high risk if an employee leaves on bad terms.

Day to day, people forget to lock their PCs when they are away from their desks, giving any person walking by access to their e-mails and network drives. Although this most often results in e-mail practical jokes, the more serious implications are obvious.

Even the most innocuous working practice could have serious consequences. For example, by not changing the default printer on their laptop, remote workers may print out sensitive documents to the wrong printer, leaving them for anyone to see.

A more recent risk is also one that will become greater in the years to come. More and more employees work outside the office - from home, a customer's office, airport lounge or coffee shop - and therefore need to access IT systems remotely.

This flexibility is often essential, but it has its own risks that need to be understood. Remote working can be safe but organisations are often lax in warning their staff of the security dangers of logging on to wireless hotspots, which are rarely totally secure.

The rapid development of gadgets and personal technology is blurring the lines between business and recreational IT. Organisations need to be aware of employees using personal IT in the office, and individuals need to be aware of the risks they may be bringing in to the office.

Plugging a home laptop or PDA into corporate systems runs a high risk of passing on viruses; home users are rarely as vigilant in updating their anti-virus protection on their own systems.

Physical security is important too. Organisations are starting to control what sort of equipment visitors and staff can carry into data-sensitive areas. It is hard to believe that a cuddly toy could be a threat to a company's information security, but an interactive toy such as a Furby could, in theory, be used as a recording device.

The same applies to MP3 players, mobile phones with voice recording, camera phones and memory sticks, the "toys" that are more commonly found in people's briefcases and handbags.

The old fashioned threats are also still here: too much data gets into the wrong hands through loss or theft of mobile IT equipment inside and outside the office.

So what can be done? Technical solutions are important but they are only part of the story. In most cases the application of simple common sense can solve these problems.

By applying a more consistent IT security policy or simply making workers more aware of how their behaviour can expose the company to attacks, the risk of an information security breach can be reduced dramatically and at a much lower cost than investing in security technology products.

John Alcock is managing security consultant at Fujitsu Services

Read more on IT risk management