Gaining control of the enemy within
Many companies have security tools to protect against hacking, but few realise that internal attacks pose an equal threat, explains Jon Collins
T security tools have traditionally focused on preventing what we could loosely call external threats – hackers, viruses, worms, for example. From the perspective of customer organisations, however, this is only one part of the story.
It is just as likely, for example, that an attack could come from an insider – a disgruntled staff member having a quick browse round the HR file share to see if there are any interesting files left visible. When we questioned 715 senior IT managers for our report, Enabling the Trusted Workforce, they told us that inside jobs were almost as likely as indiscriminate pestering such as viruses and even more likely than targeted attacks from the outside.
While this may come as no surprise to many who have experienced such matters first-hand, it does beg the question: ‘Why has the internal threat not been addressed sooner?’
Employee-related risk is a moving target, however. For example, the fragmentation of corporate systems makes it difficult to keep control of confidential data – an issue exacerbated by the availability of portable storage, such as USB sticks and MP3 players.
Of course, it is technically possible to prevent such devices from being connected to corporate equipment, but this can create problems of its own, as USB sticks sometimes offer the only way to get a file from A to B. Furthermore, actively switching off USB ports is an operational nightmare and difficult to do without blocking access to other, perfectly valid devices.
As new generations of technology offer new ways of working, they also create new security headaches. Consider mobile devices such as the BlackBerry, which can be a powerful asset, but is also often left laying around, or left behind, by users.
But the problem can never be solved by security technology alone – even the most secure environment needs to be managed by somebody, who may or may not have their own fingers in the pie.
Put bluntly, few organisations are doing everything they can to ensure that the IT risks associated with their own staff are minimised. This is as much about procedure and policy as it is about technology. Only about one-third of enterprise organisations screen their own staff as part of the recruitment process, for example, and this number drops further for smaller organisations.
We’re not advocating a police state – the goal is to understand and manage the real risks rather than trying to create jobs or undermine the rights of employees. However, one wonders if technology is sometimes being used as an avoidance tactic, as it is easier to go through the motions of locking down systems than it is to ask difficult questions of one’s peers and direct reports. This is reflected in the research, as nearly 70 per cent of respondents commented that policy- and process-related challenges were holding them back.
This is an important point, as the upshot of all this has less to do with ending up with a nicely secure organisation. Security cannot be an end in itself; rather, it is more about reducing risk to the extent that the organisation feels comfortable to push its own boundaries into domains such as remote working, better use of mobile devices and closer relationships with suppliers and customers.
Security issues cannot be solved by technology alone. In a domain traditionally constructed around protecting against external fears and doubts, suppliers and their channel partners would do well to sit up and take note of the threat from within.