Beware of the evil that lurks within

The biggest security threat to a company’s data is not nefarious hackers but staff, writes Tom Berry

Mrs Berry started getting worried when pictures of ladies in various states of undress appeared on our home PC. But the offending material is not the product of my late night surfing. It’s all to do with IT security.

Not only did our home PC security software expire some time ago, we also recently installed a wireless network but, like a third of all wireless networks in the City of London, left it unsecured. For all we know neighbours and passers-by could be using our broadband connection and PC to trawl the dark corners of the internet. Our PC became infested with spyware, malware and other nasties, and it has taken a few hours of disinfecting and encrypting to get it running properly again.

For PC users, IT security breaches are mostly minor irritations. But the consequences of IT security issues in business are rather more serious than the occasional full frontal.

Hackers and viral threats are well known. Distributed denial of service attacks are on the rise. But, in general, most IT departments are pretty clued up about protecting against these direct assaults on systems.

But there are other ways to get hold of sensitive company data, without having to hack into company systems – like buying it on eBay in the form of used kit sold off by companies.

In some cases, the previous owners – many of which were large multinationals – had made little or no effort to erase the data from the machines before disposing of them. Some companies had employed third parties to cleanse the disks for them, but still information was retrievable. “This is not embarrassing for us; it’s absolutely horrifying,” said one company.

The real weak link in IT security, however, is from within an organisation. Employees have a habit of making life easier for the cyber criminal. People tend to use passwords that are easily identifiable like, ‘password’ – a popular and ill-advised choice, as are children’s names and birthdays.

Employees are also excellent at leaving sensitive documents and equipment lying around. People also like to talk and so can be persuaded quite easily to give up all sorts of sensitive information. It is far easier for a hacker to call a junior employee of a large company, pretend to be head office and ask the employee for their logon details than it is for the hacker to try to directly break into a system.

Human beings are just too trusting. It seems they can even be tricked into divulging their most precious secrets to complete strangers on the street. Research carried out for trade show InfoSec found that nine out of 10 people questioned were willing to part with personal information that could be used for identity theft in return for theatre tickets.

The capacity for people to fail to engage their brains before they open their mouths is astounding. On the train home recently a colleague heard a commuter talking on his mobile: “My user name is Al, my password is Fish,” he shouted down the phone.

In the face of such gaffes, the best IT security systems are no better than locking your front door only to leave your windows open. Businesses should address the way their employees use and abuse technology rather than throwing more kit at the problem.