Businesses must guard against the enemy within

Inside the Enterprise: The greatest threat to a company's security is often insiders. But too few businesses take steps to protect themselves.

By Stephen Pritchard, 7 Apr 2011 at 10:01

gallery

This week, the New York County District Attorney charged a former IT worker at fashion house Gucci with attacking the company's IT infrastructure, and causing more than US$200,000 of damage.

If found guilty, Sam Chihlung Yin could face 15 years in jail. But, although prosecutors - especially in the US - are being tougher on hacking and other IT-related crimes, relatively few cases come to court. Companies frequently prefer to keep quiet and clean up the mess in private.

The result is that hacking, especially by insiders or former employees, is an under-reported crime. That also means that businesses might not be doing enough to prevent it, especially in a climate where employees may face redundancy.

According to the charges against Yin, the former Gucci employee created a false VPN token which he later activated and used to gain access to the company's systems. As a network engineer, he would have known how to exploit any security weaknesses.

All too often, companies leave themselves vulnerable to attack by non-specialists too. Employees can steal passwords from other users' desks, delete data, or copy confidential information with relative ease.

Even businesses with strong perimeter protection against hackers fail to enforce basic internal security measures, such as enforced password changes or bans on staff sharing user accounts.

There are, of course, heavyweight protection measures that businesses can turn to, such as identity and access management suites, data loss prevention software, and network monitoring. All these have their value, and are certainly more effective than using superglue to seal up PCs' USB ports - as some UK government departments were said to have done after the HMRC data loss case.

But these measures can be expensive, complicated to deploy, and sometimes cause serious problems for staff trying to do their legitimate jobs, at least unless they are deployed with care.

What businesses can do, though, is ensure their data security policies are up to date, and ensure that staff are aware of the threats posed by lax security, as well as social engineering. It is alleged, for example, that in the Gucci case Yin tricked his former colleagues into activating the rogue VPN token he then used to enter the network.

Setting policies and raising awareness need not cost much, but can go a very long way to addressing the problem of the insider threat. It might be hard to block the use of a rogue VPN token, but in too many UK companies staff still keep their system passwords on a sticky note on their computer screens.