To catch a thief

Enterprises often underestimate the potential threat to data from disgruntled ex-employees. Piers Ford reveals the available safeguards.

Tags: BT GroupF5 NetworksInternal threatSymantec Corporation
  • E-Mail
To catch a thief RABASSE: Currently, collusion with attackers from outside an organisation is a growing threat.
More pics ›
By  Piers Ford Published  April 5, 2010 Arabian Computer News Logo

If the findings of a new study are true, CIOs should wake up to a stark and rapidly-approaching reality when it comes to the security of the corporate data they are employed to protect: beware the enemy within – especially if he is about to be given his marching orders.

The Symantec-sponsored study from Ponemon Institute – Data Loss Risks During Downsizing – suggests that staff adopt a very pragmatic attitude to their employers’ confidential information when they are let go. In the downturn, with new jobs harder to come by, a customer mailing list or a contacts database suddenly becomes a very useful commodity.

The results of the US-based study should resonate with CIOs in the Gulf region, where redundancy and reduced headcounts are just as much a fact of life: 59% of departing staff steal company data on their way out. Of these, 79% are fully aware that they are breaking company rules. Just 15% of respondents said their employee audited the paper and electronic documents they were leaving with. Almost 70% said they had used stolen data as collateral to improve their new job prospects and a similar number planned to use stolen contact and e-mail lists themselves.

In other words, for all their focus on beefed-up firewalls, enterprise security and the constant threat of cyber attacks, CIOs are often guilty of ignoring an uncomfortable danger right under their noses. And in doing so, they are compromising data security – almost certainly in breach of compliance regulations – and damaging the competitiveness and financial prospects of their business.

“In the Middle East, technology is driving information security,” says Tareque Choudhury, head of security practice, Middle East and Africa at BT Global Services.

“The domain of information security encompasses people, processes and technology. Time and time again, the majority of organisations in the region fail to recognise that just putting in firewalls and some anti-virus is not enough to ensure their adequate protection. Not only does each company need to protect itself from the digital world, but it needs to protect itself from its own employees. And this can only come when technology is coupled with good processes and the right people.”

The key, suggests Choudury, is assessing where the weak links are in your organisation. And according to many observers, that invariably means focusing on staff – their practices and attitudes – when they are gainfully employed as much as when they are being asked to leave.

“Employees will always be the weakest possible link, simply because there is no patch available for naivete,” says Roger Thompson, chief research officer at Anti-Virus Group. “That’s why the most common threat that we see every day revolves around things like web-based social engineering. Everyone uses the web to browse information and web traffic tends to goes right through the firewall.

“The bad guys understand this, and structure their offerings to trick people. Of course, we’ll always see exploits come along, but they do get patched and eventually, in a corporate environment, become less of a problem. However, people can always be tricked,” he continues.

The good news for CIOs, according to Symantec’s Middle East security expert Bulent Teksoz, is that despite limited IT budgets, resources and even support from the other business units, if only one in ten IT projects is given the go-ahead, it will almost certainly be the project that is focused on security issues and preventing data loss.

Password follies

No matter how many times a CIO is told that employees will always represent the most dangerous threat to their data security, most of them would prefer to trust staff and colleagues.

According to Stephane Fymat, vice president of strategy and product management at password specialist Passlogix, this means that about 80% of companies around the world have no protection or procedures in place to prevent possible data loss when an employee leaves the business and decides to take something along. “Most employees have a good knowledge of the internal network, which can have huge implications for a business’ own valuable data, or that of its customers if an employee then chooses to access the system maliciously,” he says. “Many companies don’t change access passwords for months after people have left.

To protect against this, a business needs to firstly clarify its internal polices and get its procedures in order. Ask yourself, which of your IT administrators has what level of access and control?” he questions. “There are usually policies in place but they are, more often than not, dormant. Then you need to communicate your policies to every member of staff so that they know their responsibilities. Finally, firms must properly encrypt, store and govern the use of privileged account IDs and passwords,” ends Fymat.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code