By Will Sturgeon, 29 April 2005 16:30
NEWS For all the technology on display at InfoSecurity Europe this week it seems the biggest problem plaguing IT directors is still the largely non-technical issue of end-users and their ability to undermine even the most robust security.
According to a silicon.com poll, employees represent the biggest single threat to any company. And while temps have often come in for stick because of the threat more nomadic staff can pose, one attendee at InfoSec said it is the sales team, with their eye on business critical data, that really need to be watched - if only for their own sake.
Employee error was cited by 17.2 per cent of respondents as the biggest threat while malicious employee activity was cited by 13.1 per cent - meaning almost a third of respondents fear the activity, whether intentional or not, of their staff.
Spyware was next up, cited by 27.8 per cent of respondents, with viruses being cited by 20.5 per cent, followed by phishing (11.3 per cent) and hacking (10.5 per cent).
Separate research from Unisys reveals that 51 per cent of security managers believe negligent or malicious employees are a significant threat to their business.
Mark Thomas, head of security at Logicalis, told silicon.com: "One of the biggest problems is that everybody comes into a company on day one, signs the email and internet usage policy and that's the last they think about it."
Many companies have made a rod for their own backs by turning a blind eye to many behaviours which are technically in breach of the rules, he added.
And he believes the problem is out of control, with a raft of consumer gadgets and portable storage devices travelling in and out of organisations each day and staff making free with email, IM and their internet access and storing illegal copyrighted files on the network.
"If you walked out of your office four years ago with a 40Gb hard drive under your arm you would be arrested but that's exactly what people are doing every day."
The problem, especially where companies losing track of their data is concerned, isn't helped by the form factor of increasingly scaled down storage devices.
"The mediums are almost impossible to control and they will continue to grow in numbers. So companies have to secure their data."
The far and wide distribution of data outside the organisation also creates problems, said Gary Clark, VP EMEA at encryption specialist SafeNet. The more well-travelled data becomes, on phones, laptops, handhelds, over networks, site to site and on portable storage devices, the greater the chance it will be lost or stolen along the way.
But before implementing any measures which will change and limit the way employees can interact with data within the organisation, companies need to make sure staff know why they are doing it, said Logicalis' Thomas.
"They need to say, we're not doing this because we're being Big Brother. They need to convey the message as to why security is important and they need to get people to buy in to this."
Thomas added that companies could do worse than start with their sales team. Often the sales team will include the biggest gadget fans who act as their own administrator, he said. They are also frequently the ones with most direct access to business critical data which can be compromised either accidentally or maliciously.
"It's the sales guys you need to watch, you need to know if they're emailing all your sales lists to their Hotmail accounts."
Comments
There are 4 comments. Join the discussion
1. anonymous
You have to watch your sales team if you are a computer security product provider. The sales team will sell anything they can get a commission for, regardless of whether there really is a product that does what their presentation says it does. When they figure out what the customer wants, they'll sell a fix and let engineering or services come up with something to fill the bill.
2. Matt Atkinson
The way you control this problem is intelligent use of existing data.
You have the ability to monitor activity across the network, and know which systems have been accessed along with physical security logs. You then start to build a picture of behaviour patterns, and over a short time begin to get an idea of the worst offenders. There are some sophisticated data mining tools out there that can be "pointed" in the right direction to achieve this.
With the right reporting unusual behaviour sticks out like a puppies nose.
Once your staff know you have this capability, watch as your "incidents" drop faster than Wayne Rooney in the 'box.
A final thought:
If salespeople are such a potential threat, imagine what can be achieved if those salespeople collude with external threat!
3. anonymous
You just don't get it do you? No sales= no company=no techies.
4. anonymous
People, including sales, need to change the way they handle/access data. Stop mirroring data into laptops and PDAs (such as BlackBerry). Make sure they can access their data on-line without the need of synchronisation. Sales will soon realise that on-line access gives them more flexibility and the CTO does not need to worry about this particular security threat.