Contrary to what many executives believe, evidence suggests that hackers present less of a security risk than your...
employees, colleagues or business partners. Policing your enterprise for loopholes and leaks requires vigilance and an attitude of shared responsibility.
"Companies think their people are basically good and won't do them any harm," says Norm Inkster, president of KPMG Investigation & Security Inc. in Toronto, Canada. "But it?s been our experience that your information is most vulnerable to internal breaches of security."
Furthermore, internal breaches wreak the most financial damage on companies, according to Bill Malik, a security analyst with Gartner Group in Stamford, Conn. For example, San Francisco-based Computer Security Institute, in its latest computer crime and security survey, found that 85% of nearly 540 respondents acknowledged detecting computer security breaches within the last 12 months. Of those respondents, 64% tied the breach to financial losses. The survey says the exploited companies lost hundreds of millions of dollars through theft of proprietary information or financial fraud.
Steps to take
Malik, Inkster and other security experts suggest a series of preventive measures and ways to help recover if your security is compromised. These steps, as well as more fundamental precautions, should emanate from a comprehensive company policy that accounts for both your physical and IT security. "Your security policy has to correlate to accountability," says Andy Evans, senior security engineer with IT services firm Ecora in Portsmouth, N.H. "Upper management should promote the policy so all employees feel security is their personal responsibility."
Include a code of conduct in the policy so all employees, vendors, contractors, consultants and other partners view security as a shared responsibility, Malik says. "Security is about governance, culture and values. Your environment is safe when everybody (associated with) your company is committed to doing the right thing."
But many companies fail to take even elementary measures, such as frequently varying security codes and passwords and limiting access to them, according to John Muir, president of Pointsec Mobile Technologies Inc., a security software company in Walnut Creek, Calif. Factory-set default passwords that go unchanged are thought to be a favorite entry point for hackers. "It?s surprising how many people still never change their password, or keep it hidden under a blotter or inside a desk drawer," says Muir.
Other measures include attaching asset tags to identify computer equipment and tangible property, so you can trace who is using it. Inkster advises charting the physical layout of your plant to look for points of ingress and egress that could be used to unlawfully remove equipment and other assets.
Since your employees could be handling sensitive company information, Inkster stresses that ensuring their reliability is paramount. "It?s important to do thorough background checks on the people you?re hiring, with an emphasis on system administrators," he says.
You might want to have employees sign proprietary information agreements, says Muir. When employees leave, "conduct good exit interviews where you ask specific questions. Make an exit checklist of items the employee needs to return, such as PDAs, laptops, hard drives and other company-owned equipment."
Evans recommends making internal security audits part of routine system maintenance. Regularly documenting the configuration of your operating system helps spot vulnerabilities and security loopholes associated with new systems, applications or upgrades. He urges implementing a "closed-loop risk-management process" that includes automated cyclical system audits, analysis, review and periodic adjustment of system settings. "This enables you to address issues as soon as they are exposed."
Develop an emergency response plan that anticipates potential violations and enables you to act swiftly, says Frank Prince, an analyst with Forrester Research Inc. in Cambridge, Mass. "Figure out what information is most at risk," he says, "and then design a system that will protect it."
Malik points out another source of help. The International Systems Audit and Control Association and Foundation provides information for improving IT control, governance and assurance.
If after taking steps to preventing internal breaches fails you, Inkster says that the most important challenge following detection of an internal breach is to identify the culprit. "You have to be able to trace the origin of the breach, so you can immediately get perpetrators out of the loop," says Inkster.
While identifying the perpetrator is critical, experts say systems administrators and IT personnel should not attempt to resolve the problem. By doing so, they could unknowingly corrupt potential evidence and make legal action or recovery of assets difficult to impossible. "Appoint a team leader and make sure to include all departments that will deal with the incident, including legal and public relations," says Frank Prince, an analyst with Forrester Research Inc. in Cambridge, Mass. "This might mean subcontracting with specialists like computer forensics, hosting companies, or security consultants who can evaluate your security posture and help you fashion a response."
Report and resolve
It is widely believed that internal breaches are rarely reported, and many more probably go undetected. "You?ll have to decide whether or not you want to prosecute. Many times companies don?t want to publicize an incident for fear they?ll trigger a copycat," says Muir.
Yet companies needn?t feel reluctant about reporting security compromises. Muir advises immediately reporting breaches anonymously and free of charge to the Computer Emergency Response Team, a federally funded research and development center operated by Carnegie-Mellon University in Pittsburgh.
Another venue for reporting is the National Infrastructure Protection Center, which assists the private sector and government agencies with investigations of cybercrime incidents. Certain software vendors, including Microsoft and Symantec Corp., also encourage anonymous reporting of security glitches found in software upgrades.
FOR MORE INFORMATION:
About the author: Garry Kranz is a freelance technology and business writer based in Richmond, Va.