Businesses must guard against the enemy within

Inside the Enterprise: The greatest threat to a company's security is often insiders. But too few businesses take steps to protect themselves.

Stephen Pritchard

This week, the New York County District Attorney charged a former IT worker at fashion house Gucci with attacking the company's IT infrastructure, and causing more than US$200,000 of damage.

If found guilty, Sam Chihlung Yin could face 15 years in jail. But, although prosecutors - especially in the US - are being tougher on hacking and other IT-related crimes, relatively few cases come to court. Companies frequently prefer to keep quiet and clean up the mess in private.

The result is that hacking, especially by insiders or former employees, is an under-reported crime. That also means that businesses might not be doing enough to prevent it, especially in a climate where employees may face redundancy.

According to the charges against Yin, the former Gucci employee created a false VPN token which he later activated and used to gain access to the company's systems. As a network engineer, he would have known how to exploit any security weaknesses.

All too often, companies leave themselves vulnerable to attack by non-specialists too. Employees can steal passwords from other users' desks, delete data, or copy confidential information with relative ease.

Even businesses with strong perimeter protection against hackers fail to enforce basic internal security measures, such as enforced password changes or bans on staff sharing user accounts.

There are, of course, heavyweight protection measures that businesses can turn to, such as identity and access management suites, data loss prevention software, and network monitoring. All these have their value, and are certainly more effective than using superglue to seal up PCs' USB ports - as some UK government departments were said to have done after the HMRC data loss case.

But these measures can be expensive, complicated to deploy, and sometimes cause serious problems for staff trying to do their legitimate jobs, at least unless they are deployed with care.

What businesses can do, though, is ensure their data security policies are up to date, and ensure that staff are aware of the threats posed by lax security, as well as social engineering. It is alleged, for example, that in the Gucci case Yin tricked his former colleagues into activating the rogue VPN token he then used to enter the network.

Setting policies and raising awareness need not cost much, but can go a very long way to addressing the problem of the insider threat. It might be hard to block the use of a rogue VPN token, but in too many UK companies staff still keep their system passwords on a sticky note on their computer screens.

Stephen Pritchard is a contributing editor at IT PRO.

Comments? Questions? You can email him here

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020