Hackers work from within, says KPMG
UK businesses have been warned that the main threat to network security will continue to come from hackers working within companies.
A study of 1,238 companies, conducted by the KPMG consultancy, found that 90 percent of firms expected their e-commerce systems would be breached by hackers. But KPMG warned that most attacks would be carried out by members of staff.
Norman Inkster, president of KPMG Investigation and Security, said studies by KPMG over the last decade had found that 70 percent of fraud was carried out by insiders. "Most security breaches are carried out by individuals who possess intimate knowledge of the systems which they are attacking," he added.
The government is increasingly concerned about the threats posed by hackers to commerce and national security. Foreign secretary Robin Cook told a parliamentary committee on intelligence security that hackers could cripple Britain "faster than a military strike".
Bob Ayers, director of ParaProtect, an IT security company, and the former chief information-warfare officer at the US defence department, agreed that the internal threat was a great one. He added that it is impossible to make more than 90 percent of any system secure.
Ayers said firms should concentrate on detecting breaches and reacting to them. "That way you can make the attack fail, limit the damage it causes and restore the service as quickly as possible," he said.
Vulnerabilities could arise in so many ways that it is impossible to guard against them all, said Ayers. Problems often occur when software is acquired without access rights to source code. "Unless you know how that all adds together, you cannot be sure how secure your system is," he explained.
Ayers said changes to systems happen daily - while individually they may seem insignificant, they can undermine security. Typical changes would be the addition of a patch or a new version of software, or the changing of a user's password.
Outsourcing of security would be the best option for many firms for financial as well as security reasons, recommended Ayers. "The cost of outsourcing your security would be dwarfed by the cost of employing [internal] people to monitor your system 24 hours a day," he said.