Who's The Criminal?
-
From this article in Australia: "Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall." In fact it's the opening sentence in this article and is amazing.
I caught this on Slashdot, where most of the discussion was about either how employees are great and shouldn't be treated like criminals and how companies have a right to secure their assets. Typical ranting and complaining by the kids and malcontents on Slashdot.
But regardless 75% of IT managers, at least in Australia, think that employees are more of a security risk than hackers. Actually reading a little further into the article it appears that hackers recruiting employees is seen as the problem. So I guess the hackers are still responsible, but they, like any good for-profit entity, are looking to be more efficient. It's easier to pay someone $1,000 for a bunch of data than it is to try and hack the firewall, deploy a virus inside the network, etc.
It makes sense if you think about it. Social engineering can work, but it's got limited capabilies and you still have to do some work yourself once you get a password or access. If you get the help desk guy to copy down a bunch of files, then they take the risk and you avoid directly walking into or accessing the company. And it's more efficient because you can get 10 employees to steal from 10 companies while you collect the data and put it to use.
Heck, for some people it wouldn't take $1000. Buy a $400 iPod, let some low level, mistreated administrative assistant go to work, and download 2MB from your database with identity information or copy an XLS of account numbers. Heck, they can download the info and rename the files on the iPod to .MP3s and walk right through security. Let them keep the iPod and you get the data.
I've always marveled at how much access and authority that the average person or entry level PC Tech, help desk, developer, gets in most companies. And how poorly they're treated, or at least they feel they are treated. And lowly paid, which in an of itself breeds malcontent and no loyalty. It's amazing how much more loyalty many companies would have if they treated people a little better, paid them a fair wage, disclosed how they promote and adjust salaries, and gave them a chance to grow.
There will always be people that don't like a company. People that will steal information for money. And people you cannot completely trust. And to make it worse, the people you might be able to trust today can have the circumstances of their life change and turn. I like to think that most people are honest and you should make a good effort to hire a team of people, placing the skills that help them get along with your other employees over the technical ones.
And secure your enterprise. Do not give any one person too much authority or unaudited control of your systems. Use those ACLs, separated logins, and object permissions. Do not get so carried away that you secure things to the point of unmanageability, but divide access up by job function and give those groups/roles to people as they move into new jobs.
And more importantly, remove them when no longer needed.
Steve Jones
-
My only surprise when reading today's editorial is that anyone would doubt employees are the main security risk. Even before hackers started to steal identities, etc., the main way to have any corporate system breached was the password-on-Post-It flaw. Hackers, in my experience, are bright enough to realize that this laxity can be turned to their advantage. And, it isn't any wonder people can be swayed by small sums of money given the truly awful treatment I have seen some employees suffer at the hands of faceless corporate policies.
I am always surprised, though, when I directly advise a client to remove my access after I have completed work for them, only to find two years later that a remote-access capable logon is still possible using a static username and password that is two years old. The number of times this has happened shocks me, and has actually led me to send out reminders and test logons many months after the fact. In over 80% of all cases, I have had to give them at least three notices before they responded, showing a weakness of internal control that I can barely fathom.
The most egregious oversight I remember in my career, is a company that called me in to help redesign their systems and gave me complete access, including to all confidential email stores, etc. At the time I discovered that, I told them what I specifically needed access to, and they gave me a "standard" account (their term). The standard account made it possible for me to read the company president's emails, if I chose to, and I found out every employee with a logon had the same broad access.
My only reason to use that example is to observe that it is an electronic version of leaving the company revenues sitting on a public accessible desk, and with that kind of sloppiness, it is no wonder an employee might be tempted. Even one bad apple in a batch could easily be the end of such a company.
Hopefully, when enough money has been lost, the idea of treating your employees like valuable assets will impress itself on the world.
-
It should be no surprise that employees are the number one threat to security. We've seen CIA agents, FBI agents, military personnel with top secret clearances give secrets to Russia, Israel, etc., often times for very small sums of money. There are many reasons: financial, revenge, and sex to name a few, but it all comes down to the human factor is the weakest link. Either through laziness, stupidity or criminal action most securoty actions can be traced to user action.
-
It is no surprise to me that this is the case in the IT business. It is this way in every other business, and it's time for the IT world to wake up to this fact. Employees are the greatest source of loss in every business I've ever managed, which includes grocery, construction, fast food, greenhouse/farming and retail. Employees routinely take company assets home with them, waste materials, and milk the clock, as well as other risky activities such as coming to work intoxicated (a big problem in manufacturing). Nobody should be surprised that they are also a security risk. For the average employee it's not an issue, but one idiot can cost a lot more damage than you would suspect. Employees will always be a company's biggest risk, in whatever area you look at, including security. The only drawback of the article is the method they focus on. It's not that employees are targeted by criminals for assistance with their criminal activity, it's that the employees are the criminals themselves.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply