And when it’s picked up by his teenage son, who inadvertently downloads it to his hard drive (where it’s sucked up by spyware and sold to operators in Eastern Europe) the affect is worse than many hack attacks.
The scenario may seem farfetched, but similar tales make headlines on a regular basis: the lost laptop, the accidental emailing of personal information. Vast storehouses of sensitive data are released due to employee carelessness (or employee malfeasance). Your expensive firewall is rendered worthless.
More and more, companies are coming to a sobering realization: their own staff represents a sprawling security threat. In a recent report, McAfee CTO Christopher Bolin summed it up: “Unfortunately, be it deliberate or accidental, the reality is that today’s workforce is posing a serious security threat to corporations, one with the potential to damage a company’s brand, reputation and even entire business.”
Tightening Your Internal Security
The difficulty of safeguarding against your own employees, of course, is that they are inside the firewall. There’s no way around giving at least some employees at least some access to confidential information.
So what’s a company to do? To address that, Datamation spoke with McAfee executive Vimal Solanki, who noted that tightening up internal security involves two broad concepts: A) Defining security rules and policy (which includes defining exactly where your data resides – and where it shouldn’t reside), and B) Enforcing that policy.
Specifically, Solanki detailed these five points from McAfee’s report on improving internal security:
1) Develop, enforce, and ensure compliance of security policy
Step One is always developing a specifically defined security policy, and the McAfee report found that 84% of companies have done this (which makes you wonder about the remaining 16%).
A big part of this task is deciding who has access to what: the CEO obviously has total access to all documents, with access privileges tightening as you move down the hierarchy. Since even low-level employees need some sensitive data, the policy must define how – precisely, down to the night watchman – this information will be archived and distributed.
2) Safeguard data at every stage
A secure company looks at all channels of how data can leave the perimeter. The channels are divided into three areas, Solanki says: physical, network and application.
• “The physical is, once you have the right policy, you should be able to prevent printing of the document,” he says. “I shouldn’t be able to copy it to a USB drive or my external hard drive.”
• Network: “I shouldn’t be able to transmit this over my wi-fi connection when I’m in Starbucks, or just put it over an http transfer.”
• Application: “Once I have the data, I shouldn’t be able to email it, or put it on an instant messenger. I shouldn’t be able to use my Yahoo or Google personal email to send it out.”
Your protection must travel with your data. Not only should a staffer be policed at work, ‘But I should have the same policy when I’m sitting at a Starbucks,” he says. Ideally, even an employee sitting on a plane who attempts to access his email archive in prohibited ways will be blocked.
3) Access control and monitoring
Okay, you’ve got your policy, but is it being followed? “More importantly, there are industry regulations that require you to demonstrate compliance,” Solanki says. An airtight security infrastructure will block access, and it will also record the user, the time, and attach the document that he or she is trying to print.
Solanki describes this process with a tone of satisfaction right out of an episode of TV show CSI: “forensic evidence.”
This policy can be tighter still for employees who management identify as “at risk,” or who are about to leave the company. For these workers, some companies set up a system that records every single contact this individual has with sensitive data. “It can be done in a quiet mode, or in a more visible way that prevents the employee from doing it, and it pops up a screen,” he says.
4) Monitor and prevent installation and usage of unauthorized applications
“One of the biggest threats is that when I go to visit a seemingly innocent Web site, behind the scenes a keylogger is being installed on my laptop – that is the No. 1 issue today,” Solanki says. This keylogger allows a hacker to perpetrate identity theft by stealing all of an individual’s passwords.
“The identity theft business has gotten so sophisticated that if I wanted to rent a botnet – an army of infected machines – I can do that for a dollar a day per PC,” Solanki says.
Safeguarding against authorized apps includes building a tough line of defense on the front lines: all your workers’ PCs must have tough anti-virus and anti-spyware, and ironclad technologies to prevent the installation of a botnet app.
5) Educate and train your staff
Companies have wide latitude in terms of how they enlist their workers in security efforts. The stringency of these effort can range from a pop-up that informs users they’re breaking company policy (which Solanki notes that many users ignore) to iron-wall pop-ups that block action.
To be sure, staff training is urgently needed in battling security threats. For example, many security administrators were aghast that employees kept opening emails whose subject line was “I Love You” – long after it was identified as part of a massive virus attack. Clearly, employees represent a loose link – maybe the loose link – in the security chain.