And when its picked up by his teenage son, who inadvertently downloads it to his hard drive (where its sucked up by spyware and sold to operators in Eastern Europe) the affect is worse than many hack attacks.
The scenario may seem farfetched, but similar tales make headlines on a regular basis: the lost laptop, the accidental emailing of personal information. Vast storehouses of sensitive data are released due to employee carelessness (or employee malfeasance). Your expensive firewall is rendered worthless.
Is the Mac Really More Secure than Windows?
Web 2.0 Security: Application Scanners
Spam Bust: The Lessons of Yesmail
Russia's Export To America: Malware
More and more, companies are coming to a sobering realization: their own staff represents a sprawling security threat. In a recent report, McAfee CTO Christopher Bolin summed it up: Unfortunately, be it deliberate or accidental, the reality is that todays workforce is posing a serious security threat to corporations, one with the potential to damage a companys brand, reputation and even entire business.
Tightening Your Internal Security
The difficulty of safeguarding against your own employees, of course, is that they are inside the firewall. Theres no way around giving at least some employees at least some access to confidential information.
So whats a company to do? To address that, Datamation spoke with McAfee executive Vimal Solanki, who noted that tightening up internal security involves two broad concepts: A) Defining security rules and policy (which includes defining exactly where your data resides and where it shouldnt reside), and B) Enforcing that policy.
Specifically, Solanki detailed these five points from McAfees report on improving internal security:
1) Develop, enforce, and ensure compliance of security policy
Step One is always developing a specifically defined security policy, and the McAfee report found that 84% of companies have done this (which makes you wonder about the remaining 16%).
A big part of this task is deciding who has access to what: the CEO obviously has total access to all documents, with access privileges tightening as you move down the hierarchy. Since even low-level employees need some sensitive data, the policy must define how precisely, down to the night watchman this information will be archived and distributed.
2) Safeguard data at every stage
A secure company looks at all channels of how data can leave the perimeter. The channels are divided into three areas, Solanki says: physical, network and application.
The physical is, once you have the right policy, you should be able to prevent printing of the document, he says. I shouldnt be able to copy it to a USB drive or my external hard drive.
Network: I shouldnt be able to transmit this over my wi-fi connection when Im in Starbucks, or just put it over an http transfer.
Application: Once I have the data, I shouldnt be able to email it, or put it on an instant messenger. I shouldnt be able to use my Yahoo or Google personal email to send it out.
Your protection must travel with your data. Not only should a staffer be policed at work, But I should have the same policy when Im sitting at a Starbucks, he says. Ideally, even an employee sitting on a plane who attempts to access his email archive in prohibited ways will be blocked.