Traditionally, one of the most important assets of any successful company is its workforce. Competitive edge comes from employing hard-working, law-abiding motivated individuals with a strong company loyalty. Even for the odd employee, with a grudge against the company, the combination of laws and contracts in the past acted as sufficient deterrent to any wrong-doing.
During the past couple of years however, this position of trust has eroded and a growing trend emerged where security breaches are being caused by our own employees with increasingly dire consequences. Should we stop trusting them?
Humans Are Challenging
For someone accustomed to dealing with computers, humans can be scary. Humans are more intelligent than computers, but they are also more unpredictable.
In any organization, there's always the possibility that someone wants to harm the company intentionally. It may be something the boss said, maybe he/she didn't get a raise. Maybe someone at the pub offered them twenty grand for just installing a piece of software on their work machine. Easy money...
Deliberate acts of sabotage or theft of intellectual property are usually punishable by law, and it's getting easier to audit, track and catch culprits.
Then, there is another kind of challenge caused by computer technology. Techies are often to be heard citing the old adage that IT networks would work perfectly if it wasn't for the users. Computer systems have become so complex that it is easy to use them in the wrong way. Any one of us can inadvertently cause security breaches that put our companies at risk. By simply clicking on the wrong key we can end up running some malicious code that will start an attack against the company.
These actions are hard to find, track and repair, but most of all, it's very difficult to punish someone who had no intention of causing any harm. Even the threats of legal deterrents are powerless to fix this problem.
Achieve More, With Less Resources in Less Time
How did we get to this position? What's changed?
Deperimiterization has had a dramatic impact on today's enterprise environment: caused by the integration of internal and external resources and processes, wireless network connections, and the growing demand for remote access and mobile devices, there is no longer a clearly defined perimeter in which employees can safely and securely work.
To maintain competitive advantage, we need to run the best, fastest and most cost-effective networks. This requires a constant investment in IT services. However, achieving cost-effectiveness often entails cost cutting, which can have a negative impact on available IT resources.
For years, IT departments have struggled with the challenge of delivering more for less. Years of budgetary constraints have left a legacy of problems and challenges in the security arena. Internal security is fast becoming one of the biggest concerns for organizations and needs to form part of the risk and reputation management strategy of the company.
So What's at Stake?
The risks are easy to imagine if company data gets into the wrong hands: financial reports leak out just days before the interim report is due, customer credit card data finds its way onto the web, salary information is leaked, and patient records posted to the net. All this can cause direct financial losses and drastically impact a company's reputation.
Another risk is that information can be destroyed. Just imagine what would happen if all your company transactions were destroyed since the last backup. Lack of protection can also impact on business continuity. If you have to stop work due to an internal security breach, or denial of service attack and can't service your customers, even for a short time, this will have a major detrimental effect on your business.
But I don't want to sit here like a prophet of doom pointing out the risks and pitfalls, without offering some guidance. So here are my suggestions:
Four steps towards a safer IT environment:
1.Emphasize and enforce your data security policies and processes:
Create, communicate and enforce clear rules and definitions for both users and IT systems. It won't work unless there is clear commitment from the management.
2.Take preventive measures to enforce data security:
All critical data must be protected both in situ and in transit (and this should be both end-to-end and manageable). Don't rely solely on firewalls and VPNs; it's easy to get inside these perimeter defences. If you leave holes your business will be vulnerable. Limit the availability of systems and data only to those who really need it.
Users and information must be rigorously authenticated and authorized. Operate a centralized user management system. Get rid of the 25 different passwords. Use two-factor authentication (such as PKI or SecurID). Enforce access rights management. Track and log everything. Don't leave room for any social engineering.
3.Ensure reactive security is in place:
Use and update antivirus systems. See that your IPS and IDS are up and running. Ensure that in the event of a network attack you can recover as much data as possible, as fast as possible.
4.Train and educate your personnel and partners:
It's essential that employees understand the importance of security. They should know the correct IT security procedures, understand the possible risks of neglecting the rules and policies and know how to react if they spot any anomalies.
At the beginning I questioned whether we can trust our employees? I strongly believe that we should trust our people. I also believe that the responsibility for protecting against data security risks should not be left in the hands of individuals, since its impossible to guard against accidental security breaches.
You shouldn't accuse any individual of assisting in a hacking attack if the company itself is not properly protected.
It's very important to remember, that data security is an important part of the risk management of any modern organization. Risk management is always the responsibility of the management.
You must protect against both internal and external threats and achieving this demands effective, centralized security management.
Don't be caught unawares!
The author is Product Marketing Manager for SSH Communications Security