RISKVUE ARCHIVE | RISK BITES

Internal Security: Locking Your Own Back Door

By Philip Pierson

Ironically, the biggest threat to a company’s networks comes from the inside, not external enemies. Statistically, more than 70 percent or more of all information security or privacy breaches involve employees or other internal entities such as consultants or vendors.¹ Employee layoffs have been an increasingly common part of American business in the last year, yet few companies think about the digital security ramifications of a reduction in force.

Angry employees can (and have) disrupted the operations of their employers by:

• Sending the company a virus and shutting down its network
• Stealing data and holding it hostage, demanding millions of dollars or more for its return
• Pirating proprietary data or competitive information
• Disclosing confidential records that can have third party liability repercussions or even civil penalties if it is disclosed
• Bombarding a Web site to provoke a “denial of service” attack

In addition to intentional acts of sabotage, many other e-business accidents and losses can occur through employee ignorance, lack of vigilance, or neglect. Unintentionally, employees can do just as much damage as the deliberate saboteur. For example, they can:

• Give information to hackers posing as customers that allows them to break into a system
• Take their laptop on a trip and lose it or leave it unattended, along with its access to proprietary data and the company network
• Put company information on a home computer so that they can work from home, then leave the computer unattended to be accessed by anyone in or visiting the home; or, clean the hard drive, then donate the computer or give it to a student
• Open a personal e-mail at work and give the company a virus that not only shuts down its system, but begins to send itself out to the company’s clients
• Incorrectly dispose of digital documents that can be reclaimed or reconstituted later
• Send a defamatory comment or off-color joke via the company’s e-mail system, opening the firm to potential liability and lawsuits
• Send an e-mail with confidential information to the wrong destination, or even post it on the Web site

There are many ways in which companies accidentally leave their “back door” open to internal sabotage, including:

1. Allowing non-authorized access to the system, which can result in manipulation and modification of data, theft of information, loss of data, or failure of the computer system

2. Failure to implement or install the appropriate security measures (strong passwords, encryption, VPNs, etc.), which could lead to the interception of confidential data, which may be read or modified

3. Allowing improper use of the system by employees, leading to blackmail or espionage or information loss

4. Leaving systems open to attacks on Web sites or internal computer systems, which can result in damage caused by viruses or Trojan Horses, and denial of service attacks

What can companies do to protect themselves from these internal vulnerabilities? Rick Shaw, President and CEO of CorpNet Security, a company that develops and provides online training to employees on digital security, physical security, and privacy, has this advice.

• Recognize that security has two components: security of the system itself, and security in the way that it is used. The most powerful virus protection and the latest security software can be useless if not deployed properly. Too many times, businesses think, “I’ve got a network administrator, I’m secure.” But no one can watch over everything. Network administrators address the hardware and software; however, companies must also address the people side of the security equation by getting current information to users to empower them to protect the system and use it correctly.

The employee is most often the first layer in the security process. Firms need to create a “culture of security” among users which means employees must be educated on best practices for protecting information. To be effective, that culture must be constantly reinforced from top management on down to all employees so that suspicious activities and incidents are managed effectively.

• Establish policies and procedures. Your company should develop its own policies and procedures on how the system is used and how security is maintained. Analysis of these policies and procedures should be part of any outside security evaluation that is done by a third party. The policies should cover, for example, what employees can say or what information can be released over the phone, and what types of information they can throw away and how it needs to be discarded.
  
• Protect against human vulnerabilities and risks. Technology in and of itself cannot protect organizations from “social engineering” and “dumpster diving.” Social engineering is communication or interaction in which someone obtains information to infiltrate the system, such as by calling up claiming to be someone else, or using voicemail or e-mail to trick someone into giving out information they shouldn’t. The September 11 terrorists used social engineering to pull off their sabotage, not technological wizardry.

Dumpster diving is the process of going through discarded documents — digital and paper — to find confidential or valuable information, or to find clues to sabotage a system. If a company throws papers away without shredding them, this information is considered in the public domain. If a hospital, bank, or any organization throws away paper records, a computer tape, or CD, confidential information can be retrieved and disclosed resulting in a potential security or privacy breach.

In employee training, use real-life examples of how things can go wrong so employees can relate the potential dangers to their own situations. Having these policies and procedures in place will not only help to reduce the likelihood of an e-business accident, but they will decrease company liability should one occur.

• Institute mandatory, enterprise-wide training. Require that all employees and other users of the system — consultants, vendors, trading partners, for example — be trained on your policies and procedures. Online training can be useful in standardizing the training experience, and in requiring the employee to respond in an interactive way, thus engaging their attention and making a record of their responses and understanding of the policy. Online training is less expensive than “classroom” training, and can be easily updated as regulations and policies change.
  
• Know the standards regulating your industry on privacy and confidentiality of data. Some industries, such as health care and financial services, are currently facing regulations that require training all employees on these standards as part of their compliance.
  
• Become compliant with strategic partners. More and more often, contracts between trading partners contain provisions about data and systems security. Regulations such as HIPAA require business associates of health care companies to observe the same precautions to protect confidential medical information.
  
• Set up “secure” termination procedures. Your company’s termination procedures must encompass appropriate steps to secure your network from acts of retaliation and communication is key. The organization needs to find a way to communicate information on the layoff and who will be affected from HR (which is usually the first department to be made aware of a termination or layoff) to those responsible for the physical security of the company, to IT, to employees and all the way to outsourced security guards. For example, one terminated employee was able to damage his former employer’s system — and destroy evidence of why he had been fired — by gaining entrance to the facility with a friend who was still employed. In this case, the security guard knew his face but did not know that he had been fired.

The IT staff needs to know immediately so they can make the necessary system access changes, such as changing passwords or deactivating user IDs access rights. They must also take steps to eliminate the potential for remote access from laptops or home computers, and even by telephone. In another security breach, a former employee was able to forward his phone calls to his new worksite, which was a competitor of his former employer.

• Utilize technology that detects security breaches. Technology solutions such as intrusion detection systems (IDS) can also be effective in monitoring unauthorized access to internal systems. Similar to what a video camera does in the physical security world, IDS can “monitor” access to systems and provide evidence that may be needed should a disgruntled or ex-employee attempt to attack a system. If a breach takes place and the law or courts are involved, forensics will play a critical role. In these cases, it will be critical for an organization to show that policies and procedures are in place that employees are knowledgeable and to be sure that information has not been manipulated or destroyed.
  
• Make sure your company is properly insured for cyber risks. Company executives and officers have personal as well as professional reasons for ensuring that company policies and procedures are developed and implemented, including personal liability for failures to put in place appropriate security measures. As a result of upcoming HIPAA regulations in health care, for example, CIOs could face jail sentences if the privacy of information is not preserved. General liability insurance does not cover these liabilities.

In summary, most cyber attacks and breaches of Internet and computer security occur as a result of actions of employees, either intentionally or accidentally. Companies need to protect themselves from e-business risk not only with technological security tools and specialized insurance, but they also need to create the culture of internal security that will ensure the “users” of the system — the employees — know how to use it properly, to maintain security and privacy, and avoid cyber “accidents.” 

ABOUT THE AUTHOR

Philip Pierson is founder and manager of e-Sher Underwriting Managers, the cyber insurance facility of Swett & Crawford, the nation’s largest insurance wholesaler. e-Sher works in conjunction with leading edge security assurance developers, counselors and intelligence experts to provide policyholders with high quality risk and security assessments and products, to avoid or at least mitigate damage to computer networks and information assets before they occur. For more information, contact Mr. Pierson at philip_pierson@swett.com, 949-477-6646.

Notes
¹ Sharon Gaudin, “Case Study of Insider Sabotage: The Tim Lloyd/Omega Case,” Computer Security Journal, November 3, 2000.

riskVue | The webzine for risk management professionals
June 2002