IT Focus – Be aware of the enemy within.

Could you breach your own company’s security defences? Of course you could – you work with computers every day. In fact, you’ve probably breached them already this week by downloading internet files, burning content onto a CD or installing software from a floppy disk.

With 60% of all network attacks coming from inside the company, employees represent the single largest threat to network security, says researcher IDC. ‘Companies are just not aware of this,’ says Thomas Raschke, IDC programme manager for European internet security. ‘Firms tend to trust their workers too much.’

Certainly, few companies have addressed the threat of internal security breaches, according to a report from consulting group Ernst & Young. While 90% of those surveyed were concerned by the threat of significant fraud by employees, just 10% were confident that adequate controls were in place to prevent it.

Through the corporate network, employees can often tinker with everything from the application server to the web content management system. It only takes one disgruntled employee to damage the organisation.

Even quite junior employees have the potential to cause significant damage, says Jan Babiak, a partner with Ernst & Young’s IS advisory service. ‘Passwords and monitoring can be naive if not properly directed. Quite often, junior employees can get right back to the Unix box and do the damage from there.’

Managing internal fraud may be complex and expensive, but it’s certainly cheaper and easier than cleaning up after a major security incident, says Graham Titterington, senior analyst at Ovum. ‘There are a lot of holes not being addressed and people are not identifying their main priorities.’

The first priority is to work out exactly what information could be vulnerable and how far you’re prepared to go to protect it. In other words, are you prepared to fork out #50,000 to protect files that contain nothing more sensitive than an internal phone directory? Files containing customer records, on the other hand, may justify top-level defences.

For large organisations, assessments can be automated using products such as Insight Assessment, which seeks out unprotected data and creates logs of user access rights. However, such tools are limited and the results need to be examined by skilled assessors who understand the qualitative value of information. Assessors should also be screened, to reveal their own attitudes to fraud. While most managers are aware of workplace fraud, 40% wouldn’t blow the whistle on a colleague, according to KPMG research.

Addressing fraud in the workplace should begin with a policy document providing general rules for employees. Recognised technical standards such as the BS 7799, the code of practice for information security management, can be a useful guideline for such policies.

It’s also important to ensure employees are aware of the policies, as well as the penalties for breaching them.

Policy documents are largely common sense to IT departments – don’t download executable files, don’t send attachments, save sensitive information to the server and change default passwords – but don’t assume employees will feel the same way.

IT departments are often among the worst offenders. It is worth bearing in mind that 50% of firewall breaches occur when default settings are left unchanged, and 70% of companies don’t even know when or how often their security policy is revised, according to analyst Datamonitor. ‘The biggest problem is that people are lazy,’ warns Raschke.

Policies should be backed up with good working practices. Implement log-on passwords for PCs and check that end-users are keeping them secure.

‘Check if people use obvious passwords, and make sure they don’t write it down and stick it on a post-it note,’ says Titterington.

Passwords can be supplemented with basic security features from £7 per desktop. But large organisations should consider spending more where appropriate.

Biometrics, such as finger scanners, can protect entry to the system.

Prices for such systems have fallen dramatically and they are now available for about #14 each. European spending on biometric products will increase from #60m in 2000 to #400m million in 2004, according to IDC.

Smartcards can also identify users electronically, and IDC estimates that spending on these products will reach £400m by 2004. Once employees are logged on, monitor their actions. While civil libertarians may disapprove, 67% of employees admit lying to their boss on occasion, according to KPMG.

Monitoring products can ‘sniff’ network traffic to detect changes and compile reports for system managers.

Web-filtering tools can also detect employees accessing non-approved internet content, and can be tailored to alert managers to high-risk email or internet activities. Even with monitoring systems and policies in place, the experts’ advice is ‘never relax’. According to Titterington, every PC is a potential point of vulnerability.

‘Every time someone inserts a floppy disk into their A drive, you don’t know what they have on it.’

DTI report highlights security failings


Reuters’ policy on internal security focuses on the adage ‘trust and verify’. ‘The biggest challenge for Reuters is the theft of intellectual property. We were concerned that people who might have access to this information could use it without paying, so that’s where we concentrate our efforts,’ says Tim Voss, Reuters’ global IT security risk director.

When Reuters first began to monitor internal network activity, it rejected off-the-shelf products in favour of a bespoke system. It took seven software engineers four years to create the resulting system which allows the IT department to collate information on network activity and define alerts that, once triggered, can be analysed in real-time.

With hindsight, however, Voss considers a packaged solution might have been more effective. ‘If it can be done off-the-shelf, it means that my software engineers can test instead of develop,’ he says. I think ‘trust and verify’ is a good phrase when it comes to internal security.’

Related reading