CIO Jury: Employees are biggest security headache

Employees still pose a bigger threat to corporate security than hackers, according to UK IT bosses.

The threat comes from criminal 'insiders', disgruntled staff and employees who unwittingly download viruses or reveal their passwords, according to 10 heads of IT on this week's silicon.com 12-man CIO Jury IT user panel.

This comes in the same week the UK's new FBI-style crime-fighting agency Soca warned that criminal gangs planting computer-savvy insiders at an organisation is one of the biggest security threats faced by companies today.

John Odell, group IT director at the BBA Group, said it requires constant vigilance. "No amount of automation will overcome this threat," he said.

Nick Clark, director of IT services, Tower Hamlet College, said the insider threat is especially the case in education where "thousands of potential hackers" come through the doors to use computers every day.

Clark said: "We need to do all we can to harden the machines and networks against attacks but this is not helped by some of the poorly written education software requiring administration rights to the systems. New hacking tools that are widely available cause an ever-escalating arms race."

Richard Steel, head of ICT, London Borough of Newham, said unwitting security breaches such as writing down passwords, not logging out of unattended PCs and downloading software are the greatest threat.

He said: "Those of us who have not already done so should therefore be more prescriptive about terms of use and locking-down the infrastructure. Other obvious approaches include single sign-on - avoiding the need to manage a plethora of passwords - and role-based access to only the resources needed for your job."

But Paul Broome, IT director at 192.com, disagreed. He said: "Companies should seed their data with 'sleepers' to spot where data has been lost to external parties. This can happen through legitimate transactions with trusted suppliers and can be far more devastating that an irritated staffer with a 512MB USB stick."

Nicholas Evans, European IT director at Key Equipment Finance, also said financial services organisations have been implementing segregation of duties to protect against the insider security threat and tightening access controls for a number of years.

He said: "I see phishing and interception of data passing between organisations as the biggest risk currently faced."

Today's CIO Jury was…

Russell Altendorff, IT director, London Business School
Alastair Behenna, CIO, Harvey Nash
Paul Broome, IT director, 192.com
Nick Clark, director of IT services, Tower Hamlets College
Nicholas Evans, European IT director, Key Equipment Finance
Adrian Hughes, head of IS, Amlin
Colin Moore, head of IS, Department for Education and Skills
Rory O'Boyle, IT director, The Football Association
John Odell, group IT director, BBA Group
Andy Pepper, director of business information systems, Tetley
Richard Steel, head of ICT, London Borough of Newham
David Supple, head of IT and creative services, Ecotec

If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com