Q: I have heard that one of the biggest information security threats to a company can come from within. Is this true? What exactly does it mean, and what can be done about it?
A: When people think of an information security threat or a "security breach," thoughts of bad buys, gangsters and hackers come to mind. Companies usually make sizeable investments to prevent intrusions to their systems, put protections in place and know the seriousness of external threats.
Companies usually try to patch every loophole and make every system impenetrable. But guess who knows more about these loopholes and ports of penetration than anyone? A company's own employees (or former employees). In reality, disgruntled, former or fired employees or even external service providers are the most likely culprits of a security breach--anyone with "insider information." It is for that very reason that four out of five IT-related crimes are committed from within an organization.
Internal threats might be someone who knows the weaknesses of the software being used or has the ability to introduce viruses into a system. Viruses can come from within simply by opening e-mail attachments. Some employees find it easy to gain access to restricted areas; this may include the possession of unauthorized passwords. If something is password-protected, chances are there is confidential information involved.
With all the home office workers, laptops are in frequent use. Many times the security prevention in a laptop is turned off when remotely connecting. This is another major internal vulnerability or internal threat.
So if 80 percent of IT crimes are internal, what should a company do about it?
- Perform a security audit, or have one performed.
- Unless the knowledge, experience and manpower exist in-house, consult an outside expert on audits, policies, and the subsequent security monitoring and prevention service.
- Ensure adequate background checks on employees.
- Establish a security policy, and enforce it. This includes implementing things like swipe cards, changing passwords often and restricting sensitive areas. This creates the right attitude toward information security in your company and clarifies the consequences of any found internal breach. A professional consulting firm specializing in policy development can save time and money and ensure an up-to-date policy.
- Use firewalls. Firewalls protect against unauthorized logins usually from the outside world, preventing hackers from logging on to your network.
- Use virus scanning software. Attachments to e-mails received and passed around are the biggest reason for the spread of viruses.
- Implement ongoing managed services.
These are only a few ideas for combating internal security threats that surround us all. Enlist the help of a professional security consulting firm that will do both the audit and policy development before implementing a complete managed services package.
Michael Bruck is the founding partner of BAI Security, an 8-year-old information security consulting firm. Bruck leads his security team with a successful 16-year background in IT management and senior engineering positions. He is also the developer and author of best practices that are becoming standards in the information security consulting business. He can be reached via www.baisecurity.netor by email at firstname.lastname@example.org.
The opinions expressed in this column are those of the author, not of Entrepreneur.com. All answers are intended to be general in nature, without regard to specific geographical areas or circumstances, and should only be relied upon after consulting an appropriate expert, such as an attorney or accountant.