CHICAGO -- Buckets of cash are spent on firewalls, antivirus software and intrusion-detection systems to keep external...
attackers at the gate. But a company's own employees pose a bigger threat to enterprises, their data and their assets.
It's pretty obvious that people with access to networks and sensitive information can do a lot of damage to a company. Yet companies often push that reality to the back of their minds. It's easier envisioning black-hat hackers and script kiddies as enemies of the company than the people you see around the office every day.
"Hackers have never put a company out of business [though they cause a lot damage]," said William Murray, an executive consultant with TruSecure, at this week's CSI Computer Security Conference and Exhibition. Insider threats have shut businesses down. "We have seen the enemy, and it is us."
Companies need to stop thinking they must spend their resources defending against the Kevin Mitnicks of the world. Employees pose a variety of threats, from simple mistakes to corporate espionage.
Yet employees can also be a company's best defense if they understand and comply with a security policy.
How employees pose a risk
The archetypical disgruntled employee is often the poster child for insider threats. Such a person may have been passed over for a promotion or been laid off. He then uses his knowledge -- and his remaining access to corporate networks -- to wreak havoc.
Yet there are other scenarios. There is corporate espionage, where a competitor is able to get an employee to give up sensitive information. Sometimes this isn't so clandestine. An employee leaving a company for a competitor may copy some data that might come in handy at his new position.
Innocent employee errors are also a risk because, for example, if an employee saw how a mistake allowed money to be siphoned from an account, it could tempt him to try it again but in his favor, Murray said.
Additionally, errors often highlight areas in applications and systems that need work, Murray said.
Ways to address internal threats
Can a company truly protect itself from threats inside the firewall? Probably not, Murray said. A company can foster a corporate culture that reduces the reasons for employee threats. Also, proper controls can be put in place so that if something happens it can be caught in a timely fashion, in other words, "before you are bankrupt," Murray said.
Fostering that corporate culture requires a top-down approach from management. "Executives should have a message of integrity," Murray said.
One way of accomplishing this is to have policies and controls in place that prevent such things from happening. There should be robust audit trails so actions can be caught. Transactions should be recorded at every juncture. Such information should be saved to "imputable" media such as write-once CDs or, better yet, media that is encrypted and time stamped, Murray said.
Another way to address internal threats is to make sure employees only get access to the data and systems they need access to. This may sound rather basic, but it's not unusual for employees to have 10 to 20 times more access to resources than they need to do their jobs, said Ben Rothke, a consultant with QinetiQ Trusted Information Management Inc.
Physical security is also an important consideration when it comes to guarding against internal threats. "Having your firewall in a snack closet doesn't provide a lot of security," Rothke said.
The Health Insurance Portability and Accountability Act (HIPAA) has prompted health care-related businesses to implement such controls. "But you don't have this in other sectors," Rothke said.
Rothke thinks companies should address computer security issues like they address sexual harassment. From the first day of work, employees realize sexually suggestive remarks wouldn't be tolerated. Companies should take a similar tack when it comes to misuse of corporate systems, though the companies don't have the same impetus. "Companies [are motivated to] deal with sexual harassment out of fear of lawsuits," he said.