Threatened from within
The 2004 Ernst & Young Global Information Security Survey found that less than 30 percent of the 1,233 organizations worldwide listed training and raising employee awareness of information security issues as a top priority.
This observation was echoed by other security experts.
"We tend to trust the internal users, be they full-time staff or contractors such as consultants. The consultants may bring proprietary data out of the organization in the course of their work, so there should be a policy that requires such information to be taken care of or returned when the project is over," says Ken Williams, director, Computer Associates Technical Services.
Employees, former staff and contractors create vulnerabilities in many ways. For example, when they access their companies' networks from home, their family members may use the laptop to access Web sites that contain malicious codes.
"We're talking about hundreds of thousands of Web sites embedded with malicious codes," adds Williams.
At the same time, when internal users access their companies' networks from home by wireless, it opens doors to unauthorized entry by external parties.
Disgruntled employees may also want to cause damage to their companies, which often fail to revoke access by former employees.
The CSI/FBI 2004 Computer Crime and Security Survey of 269 respondents from US companies and government bodies reported that insider Net abuse and theft of proprietary information amounted to US$10.6 million and US$11.5 million respectively.
In another scenario, business managers or "knowledgeable users" may bring in "rogue devices" such as modems, says Cisco Systems' security consultant, Bernie Trudel.
"Usually they are well-intentioned but have little knowledge of the security implications. The same thing could be said about those people who download 'freeware' on their business machine," he adds.
Be they careless, ignorant or malicious, internal users can be a threat to their work places. The Ernst & Young survey found that just 56 percent of respondents in Asia Pacific provide their employees with ongoing training in security and controls. Raising employee information security and training or awareness was ranked eighth for initiatives in 2004.
Keeping focus
What will make more companies focus on such training? For Trudel, running a simulated attack and presenting the results to upper management may do the trick. Pointing to the CSI/FBI annual security survey or the Sarbanes-Oxley Act will justify the need for a bigger security budget, he added.
John Ho Chi, principal of Ernst & Young, believes regulatory incentives have played a part in pushing companies to focus on training internal users. The survey revealed that 13 percent of respondents in Asia Pacific said government security-driven regulations were very effective in lowering data protecting risks in their industry and their organization; 38 percent said they were somewhat effective.
Williams reckons that it is when proprietary data is released or stolen that company leaders will take notice. "In a preventative environment, this won't have happened," he says.
Raising perceptionsHow then should companies ensure that employees, contractors and former staff are not the weakest link in the networks?
According to Ernst & Young's Ho, a multi-faceted approach which covers people, process and technology is needed.
The following key steps, say the experts, are applicable regardless of organization size. The advantage small and medium-size businesses (SMBs) have over large corporations is that miscreants can't hide behind anonymity as easily, says Trudel, while acknowledging that SMBs have fewer resources to implement controls such as electronic surveillance.
- Set a clearly defined security policy
It should include the rules of access, use and copy, as well as penalties for breach. Senior management should set the tone that information security is important and that individuals will be held accountable for their actions.
Some 60 percent of the Ernst & Young survey respondents in Asia-Pacific agree that information security is perceived as a CEO-level priority, while 53 percent agree that business unit leaders and process owners appreciate the value that information security brings to the organization.
So middle managers play a vital role in ensuring that employees comply with policy and procedures.
"Middle managers have to be aware of what employees are doing. At Computer Associates, should a manager be aware that an employee is visiting an inappropriate website, such as a porn-related one, he/she might terminate the services of that employee. That employee's action might create security vulnerabilities," explains Williams.He also recommends that companies of all sizes follow the ISO 17799 standard, a security management framework that covers policy, control, compliance and so on.
- Educate users on the policies
Ho says a programme including training and written communication will help ensure that employees consider information security to be a part of daily routine.
Adds Trudel: "Give them simple but impactful examples of what would constitute a break-in." Link the impact of security incidents to the company, the customers and employees' jobs, Williams says, adding that building awareness of reducing enterprise security risks should be a daily affair. - Establish visible audit/monitoring capabilities
This acts as a deterrent to potential internal miscreants.
According to the Ernst & Young survey, 70 percent of respondents in the region conduct periodic information security compliance reviews; 75 percent evaluate and adjust the overall control structure to changing conditions. - Be firm about policy violations
"Stick to the penalties mentioned in the policies and make examples of anyone caught," Trudel says.
