Inadvertent employee error, laptop theft, contractors’ unauthorized access to information, disgruntled employees, password mismanagement – all of these factors can mean drastic revenue loss, legal liabilities, diminished productivity and brand erosion.
What are the top internal security threats – and how can you avoid them? Read on to find out.
1. Your Employees Are Selling You Out, Part 1
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization in an effort to gain unauthorized access to confidential data. While not exactly a new phenomenon, attacks are becoming increasingly sophisticated, according to Paul Stamp, a Forrester Research senior analyst.
“A phishing attack used to be a request from the deposed governor of Nigeria,” says Stamp. “These days, a phishing attack is almost indistinguishable from the real thing.”
The result: unwitting employees disclosing confidential information, from passwords to financial data, to ill-intentioned intruders. Unable to identify fraudulent websites and counterfeit email messages, these internal workers are essentially opening a company’s closed doors to criminals.
No wonder spear phishing attempts are exploding in number. The Symantec Probe Network detected a total of 166,248 unique phishing messages, a six percent increase over the first six months of 2006. And Symantec blocked over 1.5 billion phishing messages, an increase of 19 percent over the first half of 2006.
The remedy: Phishing-fighting strategies include implementing anti-phishing toolbars that display a Web site’s real domain name, as well as maintaining a roster of well-known phishing sites for employee reference. But companies should forget about training IT personnel and staging corporate awareness campaigns, says Alan Paller, director of research at The SANS Institute. Rather, he suggests running “benign spear phishing exercises against your own employees ...There’s no other way to solve it.”
2. Laptops on the Loose
Accidentally bequeathing your forgotten laptop to a hotel’s cleaning staff is more than an inconvenience. According to software security firm Symantec, the theft or loss of a computer or other data-storage medium made up 54 percent of all identity theft-related data breaches in the second half of 2006.
But that’s not all. The theft or loss of a laptop can cost a company big bucks. The 2006 CSI/FBI Computer Crime and Security survey reveals that laptops and the theft of proprietary information are the third and fourth-greatest sources of respondents’ financial losses. Nevertheless, a startling 47 percent of respondents detected laptop/mobile theft last year.
Laptops aren’t the only security risk. Boasting unprecedented disk storage capabilities, portable devices such as iPods, the BlackBerry and flash memory sticks also present dangers. Not only do these pocket-sized tools allow users to bypass perimeter defenses such as firewalls, but they also allow workers to remove proprietary information from a company’s premises. What’s worse, Gartner estimates that only about 10 percent of enterprises have any policies dealing with removable storage devices.
The remedy: Companies should require employees to protect their laptops with a startup password so that if they are stolen, at least the data is unusable. Make a practice of deleting old e-mails, text messages, call logs and unwanted files from all portable devices. And it’s always a good idea for employees to take advantage of a device’s built-in encryption capabilities and password protection features. Kingston’s Data Traveler Elite Privacy Edition, for example, is a USB Flash drive that secures 100 percent of data on-the-fly via 128-bit hardware-based AES encryption, and locks out potential users after 25 consecutive failed password attempts.
3. Unintentional Access and Disgruntled Ex-Employees
One of the many perks of working for a company is the access one gains to multiple computer systems, from e-mail messaging to HR payroll. Yet it’s precisely this access that can endanger the security of mission-critical applications. Despite today’s sophisticated user provisioning systems, many IT administrators are simply too time-strapped to actively update users’ access and privileges.
In fact, research has revealed that it can take upwards of 4 months to remove the user rights of a former employee. Within that time-span, there’s no telling what havoc a disgruntled employee can wreak on a company’s critical business systems.
The remedy: There’s no shortage of vendors promising to simplify the user provisioning process. Entrust, for example, offers solutions that automate policy enforcement and delegate administration for user provisioning which helps maintain security levels while managing large numbers of users. Another example is Courion. Courion’s AccountCourier is an automated user provisioning solution that instantly grants, revokes or modifies access to any operating system, application, Web portal or other IT assets without manual intervention.
4. Missing Security Patches
It’s an unfortunate reality. Vendors aren’t always quick to produce the necessary protection in the face of a newfound security hole. In fact, Symantec reports that in the second half of 2006, all the operating system vendors that were studied had longer average patch development times than in the first half of the year.
Further complicating matters, however, is the fact that many IT administrators are simply too overburdened to ensure that they have the latest updates and most recent patches in place. The result: well-known viruses succeeding at penetrating some of today’s largest enterprises.
Says Oliver Friedrichs, a Symantec Security Response director: “If you’re not up-to-date with the latest security updates and the latest anti-virus detections, you’re clearly at risk for some of the latest threats.”
The remedy: Patch management software and services can greatly ease the burden on today’s administrators. Ecora’s Patch Manager automates system discovery, patch assessment and patch installation on workstations and servers. Ideal for heterogeneous IT environments, Novell ZENworks Patch Management notifies administrators of exactly what patches and security holes reside on each server, desktop and laptop. And then there’s SecureCentral PatchQuest, automated patch management software for distributing and managing security patches, hotfixes and updates across networks comprising Windows, Red Hat and Debian Linux systems.
5. Your Employees are Selling You Out, Part 2
That joke email message that just landed in your inbox may not be so funny after all. “A lot of the security threats that we’re seeing involve email somewhere along the line,” warns Stamp. Data leakage stemming from outbound e-mail is among the primary concerns. According to the Ponemon Institute, 69 percent of organizations reported serious data leaks caused by either malicious employee activities or nonmalicious employee error. But even the most innocent of correspondences can result in trouble. For example, an email message that causes one employee to chuckle may greatly offend another, leading to legal liabilities. Not to mention email’s ability to serve as incriminating evidence. For example, internal emails contributed to pharmaceutical giant American Home Products Corporation being fined $3.5 billion as a result of a class-action lawsuit concerning its manufacturing of the diet drugs Fen-Phen and Redux.
The remedy: Strict usage policies can prohibit employees from sedning sensitive information via insecure e-mail. E-mail content scanning technology can also help. IBM Expresses Managed Security Services for example, scans and monitors e-mail before it ever reaches a network, ensuring that it's free from harmful or damaging content. And MessageLabs' Boundary Encryption service lets businesses set up a secure private email network between themselves and their partners to ensure the end-to-end delivery of encrypted communications.
Tidak ada komentar:
Posting Komentar
Setelah membaca artikel di atas.
Apa komentar anda ??