Subscribe

Employees a 'great IT security threat`

By Damaria Senne, ITWeb senior journalist
Johannesburg, 14 Mar 2006

Although technology`s role in protecting IT networks is important, more focus should be given to managing the threat posed by staff members, experts at last week`s two-day ITWeb Security Summit said.

Even if a company implements top-of-the-line facilities, there is still the people issue to take into consideration, said Trevor Symmonds, Web infrastructure manager for old Mutual.

"A foolproof system does not take into consideration the ingenuity of a fool," he said.

Staff at large corporations leak sensitive information every day, according to Dr Lidror Troyansky, chief scientist at PortAuthority Technologies.

Some do it inadvertently, sending a document to the wrong recipient. Others take projects home to complete without considering the information is sensitive and should not leave the company premises or be e-mailed from a home computer, he said.

Leaks also happen when policies and procedures are over-complicated and people don`t really know what is, or what is not permitted, he said.

In the case of a malicious attack, the person leaking sensitive information or attacking the IT system may not necessarily be a "techie", Troyansky said.

Mike Silber, a consultant with Michalsons Attorneys, presented a case study in which a disgruntled employee inserted a Trojan program into the Edgars stores network, distributing it to individual stores.

Although the programme did not work as intended, the company still felt its impact. It disrupted transactions, costing the company in revenue. It also cost the company in terms of the physical effort required to individually remove it from store computers, said Silber.

Solutions

Staff activities on the network may make it vulnerable to attack by viruses, said Sampie Pretorius, CIO of the State IT Agency (SITA).

Presenting the SA government network managed by the SITA as a case study, he said a sample of 1 991 computers surveyed in the second quarter of 2005 were infected with 1 278 713 viruses. That translates as each computer being infected with a virus 642.2 times in that period, he said.

As part of the mitigating strategy, control and management of the over 250 000 computers and 4 500 routers was centralised so that changes could not be made without prior permission. This limited the access of managers, whom he also cited as a potential risk because of the opportunities they have to access the network function.

The network survey indicated that 95% of virus attacks happened as a result of vulnerability introduced by users sharing information, music and photographs.

Thus, file and print-sharing facilities were removed. A solution that keeps malicious traffic and unsolicited mail outside the network perimeter was also implemented, he said.

A survey conducted in September 2005 to determine the state of the network following the strategy implementation, indicated there were only 32 000 virus incidents in that month. Pretorius noted that except for the cost of the solution protecting the network from unsolicited mail and malicious attacks, the other measures cost the government nothing.

Changing culture

The ultimate aim in IT security should be to change the culture of the people, said Paul Strauss, ABSA`s group information security officer.

Companies need to increase staff members` knowledge of IT security, so they appreciate the consequences of their actions, said Strauss.

Embedding security in the consciousness of staff is effective, according to Robert Martin, global digital security manager for Beyond Petroleum (BP).

One way to achieve this is to have a security moment at all meetings: a staff member gives a short brief based on the company`s policy. At all BP meetings, the first speaker outlines where all the exits are, then a selected staff member gives a brief on safety measures, he said.

Related stories:
Mitnick warns of 'holes in human firewall`
Former hacker in SA this week

Share