The top five internal security threats

It's widely known that internal staff are the biggest threat to IT security, but what specifically should an employer watch out for?
Written by Sally Whittle, Contributor

Research conducted by the US Computer Emergency Response Team (Cert) estimates that almost 40 percent of IT security breaches are perpetrated by people inside the company.

Criminal attacks are particularly likely to happen from the inside: one recent study estimated that 90 percent of criminal computer crimes were committed by employees of the company attacked.

Smaller businesses are uniquely vulnerable to IT security breaches because they may lack the more sophisticated intrusion detection and monitoring systems used by large enterprises, according to Mark Murtagh, a technical director with Websense. "We definitely are seeing an increasing threat to SMEs, coupled with a lack of understanding of the threats posed," he says.

ZDNet.co.uk asked the experts: what are the top 10 security threats posed by workers in small and medium-sized enterprises?

1. Malicious cyberattacks
Research conducted by Cert has found the most likely perpetrators of cyberattacks are system administrators or other IT staff with privileged system access.

Technically proficient employees can use their system access to open back doors into computer systems, or leave programs on the network to steal information or wreak havoc. In 2006, IT programmer Roger Duronio was found guilty of planting a type of malware known as Unix logic bombs in the network of investment bank UBS. The company claimed the resulting damage cost more than $3m (£1.5m).

Prosecutors argued that Duronio had launched the attack when he received a bonus he felt was unreasonably low. He complained and eventually resigned from his job, but not without leaving behind a memorable parting gift.

The best protection against this sort of attack is to monitor employees closely and be alert for disgruntled employees who might abuse their positions. In addition, experts advise immediately cancelling network access and passwords when employees leave the company, to avoid them using passwords to remotely access the network in future.

2. Social engineering
Perhaps one of the most common ways for attackers to gain access to a network is by exploiting the trusting nature of your employees. After all, why go to the trouble of creating a program to steal passwords from the network, if people will simply give out this information on the telephone?

"You can have the best technical systems in place, but they're not effective if people aren't educated about the risks," says Mike Maddison, head of security and privacy services at Deloitte UK. A recent survey conducted by Deloitte found three-quarters of companies have not trained staff in the risks of information leakage and social engineering.

"It's vital that people understand, for example, that they shouldn't provide their password over the telephone, or that they recognise a phishing email," says Toralv Dirro, a security strategist with McAfee. "These sorts of messages are becoming increasingly sophisticated, and we're now seeing very personalised, targeted phishing emails that may even refer to projects that people work on, or members of their team."

3. Downloading malicious internet content
Some reports suggest the average employee in a small business spends up to an hour a day surfing the web for personal use — perhaps looking at video or file-sharing websites, playing games or using social media websites such as Facebook.

It's not just time that this activity could cost you. Analyst reports show that the number of malware and virus threats is increasing by more than 50 percent each year, and many of these destructive payloads can be inadvertently introduced to the network by employees.

"It's very easy for a rootkit to be hidden in a game or a video clip, and a novice user may not notice anything out of the ordinary," warns Graham Titterington, a principal analyst with Ovum.

The best advice is to constantly update and patch your IT systems to ensure you are protected...

...against new threats as they emerge, advises Paul Vlissidis, a technical director with NCC Group. "Don't rely on monthly or quarterly security downloads," he says. "The time between vulnerabilities being discovered and then exploited is shrinking all the time, so it's important to update patches and antivirus software regularly, and ideally layer several antivirus products rather than using just one."

In addition, consider whether your antivirus software can filter, monitor and block video content: few products can do this today, but a video of someone falling over can provide a cover for downloading all sorts of content onto the network, says Bob Tarzey, a service director with analyst firm Quocirca.

4. Information leakage
There are now a staggering number of ways that information can be taken from your computer networks and released outside the organisation. Whether it's an MP3 player, a CD-ROM, a digital camera or USB data stick, today's employees could easily take a significant chunk of your customer database out of the door in their back pocket.

"These types of devices are effectively very portable, very high-capacity hard drives," says Andy Kellett, a senior research analyst with Butler Group. "Someone can walk away with up to 60GB of data on a USB stick, so it's not a trivial matter."

Research conducted by Websense found that a quarter of UK workers who use PCs at work admit copying data onto mobile devices at least once a week. In addition, 40 percent say they use USB sticks to move data around, and a fifth have revealed their passwords to third parties.

Kellett advises companies to use software to specify policies on what devices can be connected to the corporate network, and what data can be downloaded. This should be enforced by the company — but workers should also be educated about why the policies are in place — or they will simply find a way to work around them. "It's not difficult to specify that the USB ports on desktop computers are disabled, or that CD-ROM drives are removed from computers where they aren't needed," Kellet says. "But you have to work with your employees to balance security and usability."

In addition, Kellett recommends considering whether to block access to web-based email and data-storage services, such as Gmail. "If someone can store confidential documents to an online storage site, that information is completely beyond your control," he says.

Finally, consider locking down networks to prevent wireless access using Bluetooth or Wi-Fi — except for authorised users with authorised devices. "Information loss over Bluetooth on an unsecured network is very difficult to detect indeed," says Kellett.

5. Illegal activities
It's important to remember that, as an employer, you are responsible for pretty much anything your employees do using your computer network — unless you can show you have taken reasonable steps to prevent this. Famously, the US-based Citibank was sued for $2m (£1m) when employees downloaded pornography from the internet, and UK companies have dismissed workers for a range of misdeeds, from selling drugs using company email to distributing racially and sexually offensive material over corporate intranets.

To protect yourself, experts advice a two-pronged approach. First, use monitoring software to check email and internet traffic for certain keywords or file types. You might also choose to block certain websites and applications completely.

Second, devise an Acceptable Use Policy spelling out employees' responsibility for network security, ensure it's signed by everyone and  that workers fully understand the risks and their responsibilities. According to software company Websense, one in five UK workers say they don't really understand their company's security policy.

Editorial standards