A question of trust

Can increased internal security and trust go hand in hand?

Do you trust your colleagues? It's a simple question and one which most people will answer with a resounding 'yes'. But should this be the case? More and more often companies are identifying the greatest threat to their business as coming from within. In security there are waves of development. The past few years saw a wave of expenditure 'protecting the perimeter' from external threats. Yet now many companies are focussing on just what they've penned in - rather than what they are keeping out. Financial giant Merrill Lynch is today beginning a new era of tightened security on its network. Staff are now forbidden access to outside ISPs such as AOL, MSN and Yahoo!, whose email and instant messaging services they may previously have used to communicate with friends, family and colleagues. The problem was that these services bypassed all internal security - they were a tunnel straight under the perimeter fence out into no-man's land and staff could liberate whatever data they wanted. This is not to say that Merrill Lynch doesn't trust its staff or indeed that they shouldn't be trusted. The change is due in part to tightening SEC regulatory measures in the post-Enron era. Other financial institutions are taking similar steps - but so are companies who are not under the constraints of regulatory control. The concern is that while you have safeguarded your network against all manner of cyber attacks it only takes one person to log on to their webmail account and email a client list and account details to a rival and your very business is under threat. Suddenly being protected from viruses becomes a moot point. Similarly companies are clamping down on the use of network applications, controlling staff email use and web use. This is because bosses have to view staff as a mass, not as a group of individuals. And the threats are very real - even if most staff are to be trusted. But it is impossible to imply that trust while rolling out stringent internal security measures. And no staff will take kindly to the idea that they are not trusted. For the banks there is the 'our hands are tied' defence which will serve them well but for others the response is not so easy to imagine. One vendor recently told silicon.com that it is easier to implement such measures during a downturn because if staff don't like it then they have fewer options. In better times they could walk out and into another job. For now they may well just have to take it, like it or not. But vendors are also quick to bring up the part of education. It is not a question of trust - it is a question of necessity. If an employee has always played by the book, then yes it is unfair that they should lose certain privileges, but it is also unfair that they should lose their job because a colleague emails the 'crown jewels' of the business to a rival. Still, it won't be a popular message - but it may just be a company's best bet.