News >> In The Know

The enemy within

Thursday, 23 February 2006 00:00 Written by Kimberly Guest

From ignorant to vigilant, users can become a company`s human firewall IT`S EASY for businesses to forget that the greatest risk is from within. It is employees that have access to the most sensitive data, as well as the opportunity to expose their employers to competitive fraud, external attacks and malicious tampering.

Despite this, few organisations seem to be investing in security-related training for employees. And while technology is certainly a part of the solution to protect valuable data, perhaps it is time that businesses took a more holistic view of security and risk mitigation.

So what is the profile of an employee that poses a security threat to a company? According to industry experts, it is anyone who has access to your network, computers, printers and even telephones. Simply, it is everyone who walks through your door.

IGNORE IS NOT BLISS

Contributing to the blissful state of ignorance within end-user organisations, few security solution providers are likely to draw attention to employee-based risks in their sales pitch, preferring instead to focus on products and solutions. , director of Magix Integration, estimates that only 1% to 2% of companies are actually investing in end-user training.

"Security ignorance among employees provides many opportunities for malicious behaviour," he explains.

For this reason, Symantec regional director, , says that staff education is critical: "It is vital for management to consider the human security factor when implementing security policies and procedures. Through appropriate education, employees can become the company`s human firewall."

According to systems engineer, Martin Warshaw, however, it`s unlikely that employee education will work. "It`s great to make people aware, but I don`t believe education is the full solution, for the simple reason that people have a tendency not to follow policies or apply what they`ve learnt."

TAKING ADVANTAGE

But as the art of `social engineering`, or conning ignorant users, spreads in developed countries, South African businesses will have to look to employees for protection from serious breaches.

In his book titled `The Art of Deception`, American hacker turned security consultant, , confirms the sentiments of the abovementioned experts - the human factor truly is security`s weakest link. Relying predominantly on manipulation of legitimate users to part with or allow access to company resources, Mitnick perpetrated a series of high-profile corporate break-ins in the 1990s and served five years in federal prison for his pains.

Today, on the side of the good guys, he reveals just how easy it is for someone to enter the most secure of environments.

"As developers continually invent better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk," he says. In his book he explains that companies that conduct security penetration tests through social engineering methods are nearly 100% successful. And the only truly effective way to mitigate the threat is through the use of security technologies, combined with policies that set ground rules for employee behaviour, as well as employee education.

ARMED AND DANGEROUS

Of course, your user training could work against you, as employees with malicious intent get the heads-up on steps that have been implemented to measure and monitor unusual activity. And in this regard, access control is unlikely to work for you, as it is those with access that recognise the damage that could be done, or money that could be made. Lubashevsky explains: "The proliferation of technology has resulted in great productivity improvements in corporations, but it has also made it easy to steal information or manipulate it for personal gain. And although most people are honest, there is always a minority that sees nothing wrong with helping themselves to company property, whether it`s a stapler or the customer database." Which is where technology, once again, enters the equation. When technology is used in the perpetration of fraud, the best way to detect and raise an immediate alarm is with technology.

Pointing to increasing levels of employee fraud and vandalism globally, Lubashevsky says businesses need to investigate solutions that are able to monitor specified people, applications and business processes in real time, without alerting users of the surveillance or adversely affecting the performance of enterprise applications.

Without these and other solutions aimed at preventing internal damage, he warns, companies could quite easily find themselves facing reputational damage, governance violations and high cost recoveries.

PRODUCTIVITY OVERBOARD

But before blowing your complete technology budget on security solutions, Cisco`s Warshaw reminds management that security solutions, policies and procedures should not be overly restrictive.

"There are many challenges that businesses have to consider when looking at security, particularly when intuitivism and intelligence are concerned. But at the end of the day, any solution deployed needs to meet company requirements without being so restrictive that productivity is affected," he concludes.

Tags: Managing  Risk