End-users' tendency to be negligent, fraudulent, malicious or just plain stupid can reduce IT managers to tearing out their hair. Most organisations put considerable effort into defending against external attacks, but protecting systems from internal threats receives less attention, mainly because it is perceived to be more difficult and complex to implement and enforce a rigorous security policy. Firms may pay lip service to the possibility of attack from within, but until a problem occurs, many companies are still not taking this area of security seriously.
That is set to change. Not only is the problem getting worse, but the financial impact is also increasing. Insurance broker Willis Group says it expects insurance premiums for cybercrime to rise by up to 25% this year, with prices dependent on customers' web use and security precautions.
Standard Chartered Bank decided to outsource the monitoring of its network and firewall traffic in March because, according to a bank official, of the need in part to demonstrate to financial regulators that the bank's systems are secure.
In the face of these growing challenges, here are some of the biggest threats from inside your organisation and what can be done to tackle them.
The most common form of carelessness in today's business environment is end-users revealing their passwords, or making it easy for others to pick up passwords by giving them out over the phone or writing them down. Many end-users persist in making their password nice and simple - such as their own surname. And there are still many systems with an account where the username is temp and the password is guest (or vice versa).
Implement - and enforce - a clear information systems policy to ensure all employees know and understand why it is important for them to keep access to the system secure. "It is pointless to have rules unless people follow them," says Martin Finch, managing director of security firm Commissum. "You can have the best technologies and the best policies, but if people don't buy in to them, they will not work."
In addition, it is a good idea to remove responsibility from end-users and to automate security procedures as much as possible, even if your end-users are well trained.
Educating end-users about why it is important to keep systems secure is essential. There are moves in the US to make a minimum level of systems education mandatory before end-users are allowed online. This step is not imminent in the UK, but training courses are available to meet the need to improve user awareness. One example is a course from Absolute Training, with input from Commissum, designed to make UK office workers more "cyber-savvy".
If passwords are too difficult to remember, end-users tend to write them down somewhere; if they are too obvious, the system is insecure. Having to remember a whole host of several passwords for different systems is also a challenge and the concept of a single sign-on has proved either too costly to implement or too insecure, since it rests on the strength of the authentication process.
There are some innovative approaches to helping users with passwords in a secure environment. UK-based Little cat Z has several products that protect passwords, including its Chandelier software, a web-based password tool that enables end-users to reset their passwords securely, and Pointsec's Picturepin is, as its name suggests, based on users remembering pictures rather than wordstrings.
The endpoints of a network are its most insecure access points, so it is important to use all possible network management tools to secure end-user devices - particularly mobile systems - to prevent users inadvertently leaving open ways into important IT systems and databases.
Fraud is a serious internal threat, as it is usually undertaken for monetary gain. It can result in financial implications for an organisation as well as harming its reputation. Fraud can range from loss of sensitive and important company secrets and theft of intellectual property to financial and even criminal damage.
There are no accurate figures on the full extent of systems-based fraud and the real problem with fraud is that it costs organisations far more than other forms of attack. Although only 6% of UK businesses were reported to have been hit by fraud last year, according to PricewaterhouseCoopers' global survey of economic crime, the average loss from a cybercrime incident is just over £500,000.
This is a staffing issue, albeit one with major systems implications. In addition to all the other recommendations relating to information security, implementing an anti-fraud strategy means having to think about the personnel issues involved and working closely with senior managers and human resources staff on appropriate anti-fraud policies across the board, not just in relation to systems.
Audit trails are essential in cases of fraud, particularly if criminal prosecution is being considered. It is important to have systems in place to track e-mail and ensure records are kept of who has access to sensitive data.
Also consider implementing automated security systems with real-time monitoring that set off alerts when policies are breached, such as Internet Security Systems' Real Secure Site Protector.
Misuse of IT systems
Staff misuse of IT systems may not seem as serious as fraud or as harmful as a computer virus, but it can damage an organisation's business just as much. Examples of employee misuse of IT systems include accessing porn websites using office systems or, more seriously, misusing confidential data. In 2003, the Inland Revenue admitted that some of its staff had looked up the tax details of celebrities, and there was some evidence of confidential tax-payers' information being used maliciously, such as passing on an ex-spouse's salary data to the Child Support Agency.
There is also a growing list of UK organisations which have sacked or suspended staff for looking at pornography at work, including Derby University, Merrill Lynch and insurance giant Royal and SunAlliance. In one of the biggest cases in the UKto date, mobile phone operator Orange sacked 40 staff for downloading pornographic images from the internet. A survey by LexisNexis Industrial Relations Services last year found that almost a third of UK firms had dealt with up to five disciplinary cases of internet abuse in the previous year.
Information can also be disclosed inadvertently. It is not unusual to receive an e-mail in which the deleted text from a document has been retained in the final version, potentially causing embarrassment or even possible libel if the file is sent to a customer or supplier.
The consequences of such misuse include harm done to a company's reputation and the need to devote time and public relations effort to limiting the damage.
Implement a clear and well-publicised policy on internet and e-mail use covering both internal and external e-mails. Such a policy would include a facility for checking internet usage, a legal disclaimer automatically attached to outgoing e-mails and a clear statement on when and how staff e-mails and internet use will be monitored.
The Department of Trade & Industry site on IT security best practice points out that the term "cyber liabilities" is increasingly being used to cover company liabilities incurred through inappropriate use of IT systems, whether malicious or inadvertent. Problems caused can include damage to a firm's reputation; libel; racial or sexual discrimination and harassment; and misuse of personal data.
There are a host of tools on the market to help in this area, but it is important to remember that staff must be made aware of any monitoring software. Tools include message scanning and filtering software to check for inappropriate words and images; blocking software to prevent access to specific, inappropriate websites; and systems monitoring tools. Suppliers such as MessageLabs, Content Technologies and Net IQ all have products in this field. Net IQ's Vigil Ent, for instance, blocks e-mails and instant messages if they contain specific words and enforces policies on web surfing.
One of the better-known content filter providers is Surfcontrol, with its e-mail filter, web filter and instant messaging filter. Morphix's Metasight combines e-mail management with a training element. It monitors e-mail use in line with a defined policy and sends reminder messages to users who breach the policy.
The right level of security
Increasing use of broadband "always-on" internet connections and a general lack of security awareness has resulted in a huge rise in the onslaught from viruses and other forms of attack. The ability to download material such as games or music from the internet has led to growing concern about security. Security firm Sophos estimates that one in three spam e-mails are redirected through compromised PCs, often without users' knowledge.
The DTI's latest annual survey of information security shows that 83% of the UK's large firms have received infected e-mail or files and one-third of those have received at least 100 different viruses. Guarding against the accidental letting in of viruses, as well as against malicious internal actions, is paramount.
To prevent unauthorised intrusions you need a clear, but straightforward security policy. Many experts believe it is no longer possible to monitor security policies manually but there are a number of automated security policy tools available.
It is again important to ensure that if any systems are being monitored, the approach complies with laws such as the Data Protection Act. Staff must be informed of such monitoring and this can need careful handling to ensure employees know their rights.
Regularly updated anti-virus software is a must. The best-known are probably from Norton, Sophos and McAfee, but there are many other products available. Personal firewalls are vital, as more users connect up remotely to their corporate networks; well-known products include Zone Labs' Zone Alarm or Norton Personal Firewall.
Automated security policy software, such as Policy Operations Centre from BindView, enables IT administrators to set appropriate levels of security for members of staff, depending on how much sensitive company information they handle.