While that is an important perspective for any security professional to adopt, often times a far more serious threat is completely overlooked. One that is capable of inflicting far greater damage than any external threat. And the culprit is The Insider.
The Department of Trade and Industry's Information Security Breaches Survey conducted in 2002 states that 48% of large businesses reported their most serious security incident was caused by internal activity.
Error, mistakes... and ignorance
The preponderance of security issues that arise from inside the organisation are mostly out of error (application, operation or staff-related), mistakes or sheer ignorance. Ignoring this vital fact causes countless organisations to expend a disproportionate share of already scarce resources on covering only part of the threat.
Threats originating from within the company pose more of a risk than any external hacker ever could, and consequently demand much more of the IT and Security Department's time. Insiders typically have greater, less restricted access to sensitive information such as financial data, personnel details and trade secrets, and can cause far more damage.
Take, for example, the chief executive officer. It's likely that he or she enjoys virtually unfettered access to all of the organisation's data and/or systems. Unfortunately, at the same time he or she is also less likely to appreciate the need for various security controls. The busier the executive, the less tolerant they are of intrusive security controls and the more likely they are to demand an exception to the rules.
Consider, then, the case of the chief executive officer who finds it too difficult to remember new passwords after each change. He or she will at best select a weak password, or at worst write the new password down – leaving it where it might be found and used by an unauthorised person. In either case, a security breach may result.
A fast, efficient exchange
Chief executive officers, executives and, in truth, much of today's workforce relies on the fast and efficient exchange of information. Much of the information used and processed by organisations is considered highly sensitive. Ensuring that only authorised individuals have access to sensitive data is of paramount importance, but anything that hampers the effective flow of information slows down or prevents work being carried out.
Improperly implemented, security controls often become a bottleneck to the free flow of information – even for authorised users. When security is an obstacle, those controls are then eliminated in favour of the organisation completing its work in a timely manner.
The real problem lies in the fact that IT security controls are often complex and difficult to both understand and implement. When that complexity is introduced into the organisation, systems are perceived to be too unwieldy for the average end user. As a result the user will ignore or – worse still – bypass even the most effective technology in order to 'get the job done'.
Devices such as USB-based tokens that fit on a key ring can provide strong authentication and the ability to carry digital certificates. Such devices are simple to use and don’t unduly interfere with ‘getting the job done’
To make effective use of security technology companies must ensure that it's not only easy to deploy but that it's easy to use, and fits in well with the overall corporate culture.
So what can be done about the problems caused by The Insider so far as in-house security and IT management professionals are concerned? First and foremost, members of staff at all levels of the organisation must be made aware of the need for strong security. While an organisation may well have the most advanced IT security technology in place, a simple and inadvertent act like opening an e-mail containing a virus can unleash a devastating chain of events that ends up costing the organisation dearly.
It's absolutely vital that any organisation understands what information it needs to protect and from whom it needs protection. The most appropriate vehicle for identifying and protecting critical systems or data is an effective information security policy.
Once corporate policies are implemented, organisations have a deeper appreciation for the level of protection needed to safeguard their critical data. Appropriate technology can then be implemented to support these policies.
Deploying USB-based tokens
Typically, the job of deciding the answers to IT-related questions falls on the IT security staff who, without any policies to guide them, may or may not have a clear view of an organisation's current strategic goals.
Another example to use is authentication. For so long, user names and passwords have been a primary means of protecting sensitive data and systems. Organisations rely on them to safeguard even their most critical business systems. As we are all too aware, passwords as part of the security 'puzzle' are the most easily compromised element.
Fortunately, simple and effective technology exists today that can provide organisations with robust, easy-to-use alternatives to traditionally weak passwords.
Devices such as USB-based tokens that fit on a key ring can provide strong authentication and the ability to carry digital certificates. Such devices are simple to use and don't unduly interfere with 'getting the job done'.
Security relies on something the user has (ie the hardware security key). If a key is lost or stolen, steps can be taken to 'turn it off', thereby rendering it useless to anyone not authorised to possess it. The same is not true of passwords – there's no way of knowing if a password has been 'misplaced'.
Source
SMT
Postscript
Bernie Cowens is vice president of security services at Rainbow Technologies (www.rainbow.com)
No comments yet