Should you trust your staff?

Of course you should – but not simply because you couldn't be bothered to check up on them...

Of course you should – but not simply because you couldn't be bothered to check up on them...

Companies are still failing to 'patch' the biggest hole in their security strategies – the walking liabilities who enter the building in the morning and leave at the end of the day.

Human error is still at the heart of a great many security breaches and combined with growing incidences of malicious activity; a tolerance within firms of personal technology and a failure to lock down desktops, companies face serious problems related to their 'bums on seats'.

And in fact, it's not just those who are seated. A move towards hot-desking and teleworking is also further complicating the issue. It naturally becomes harder to see whether somebody is doing something they shouldn't if they keep on the move, according to Simon Janes, international operations manager at computer forensics specialist Ibas.

But Janes told companies have to be very careful with issues relating to employees and the threat they pose. Falsely identifying even one person as a criminal could destroy good relations with staff.

According to recent research from QinetiQ the majority of companies still carry out no background checks on employees while three-quarters of companies don't carry out checks on visitors into the organisation.

Neil Fisher, director of security strategy at QinetiQ, said whether the problem is a "straightforward cock-up" or a malicious internal threat, "can you really trust you employees?".

But Janes warned against any heavy-handedness.

"When you point the finger be very careful what you are saying," he said. "Establish the facts before you do anything."

"It is important that you have the policies and procedures in place so you can identify incidences of crime. People only do things because they think they can get away with it," said Janes but he warned against creating too much of a 'Big Brother' atmosphere within a company.

There is certainly a fine line between a realistic level of suspicion and an over-officious culture of monitoring and distrust. Companies must toe that line though in order to deter would-be criminals while being mindful not to disenfranchise honest employees, especially because the behaviour of both may be similar.

"Who is a company's best employee?" said Janes. "It's probably somebody who works late, comes in weekends, doesn't take all their holidays, keeps their head down and doesn't attract much attention - but that also pretty closely maps the profile of somebody who might be stealing data from the company," added Janes, based on his own professional experience.

Certainly some companies are taking measures to new extremes. In some financial institutions database administrators are working with cameras trained on their keyboards and screens, according to the CEO of one company working in this space.

But Walter Scott, CEO of storage firm Imceda, who works with many firms in the financial services sector which store business critical data, the implication isn't of inherent guilt but simply of the fact the risks of not monitoring as standard practice are too great.

Scott told DBAs now wield too much power to be above suspicion.

It may not be the current DBA, or the next, or the one after, or it may never become an issue, but should a problem arise by the time suspicions are raised it may already be too late to introduce such measures.

At the opposite end of the scale temporary staff have also long been identified as a source of potential breach and blunder, proving companies need to implement and enforce policies throughout their whole organisation.