Companies must protect their data
Employees have become one of the largest security threats
The local security industry has undergone major changes over recent years, this is due to many factors including increased computer usage, the proliferation of mobile devices, PDA's and small mass storage devices, changing trends in threats to computer users and organisations and increased use of the Internet for electronic transmission of sensitive information and mission critical business applications. This is according to J2 Software managing director John Mc Loughlin.
He says this has called for a new focus in the security industry. "Until recently, the primary focus was on inbound threats where the emphasis was placed on the need to keep the information technology environment secure from external threats. To this end, major technology solutions have emerged that focus on preventing intruders and hackers from accessing an organisation's IT network and resources. These include firewalls, antivirus applications and intrusion detection solutions."
There is no doubt that the Internet has been one of the biggest contributors to globalisation, it has enabled us to do business anywhere, anytime. It has ultimately enabled organisations to easily contact suppliers and customers around the world, 24 hours a day. However, the Internet has also brought about new security threats to organisations.
"The Internet has enabled staff to be more efficient, they can now easily send out quotations to customers, receive and process orders, easily generate and send out invoices; generate and send detailed confidential plans and/or designs; check stock; and collaborate with colleagues on tender submissions," he explains.
Mc Loughlin points to the security threats that the Internet has brought about. "Intellectual property and customer information, gained through many years of hard work and normally at a huge cost, can now easily be taken out of the organisation by means of email without anyone knowing that data theft has taken place."
Statistics show that 70 - 80 percent of theft relating to sensitive data and information originates from within organisations. Moreover, it also shows that 80 percent of all pornography and other inappropriate material is downloaded between office hours.
In today's Information Age, most sensitive data and information is stored electronically thereby making it relatively easier to access. Often access to such sensitive data is required to be provided to a group of internal staff for the sake of ongoing business operations. However, in today's competitive world no staff member is really permanent. It is not often guaranteed that all personnel are loyal and content and would not seek other forms of profit. Due to this, there exists a ready market for the purchase of sensitive information, especially relating to an organisations' customer data, product strategies, channel information and various other data that competitors or others would be more than ready to buy for a price.
With the advent of mobile technologies and removable devices it has become extremely easy for the outbound movement of data from within the previously assumed secure confines of an organisation. Mobile phones, USB thumb drives, DVD/CD drives, Disk on Key (DOK) devices are freely available at affordable prices that make it easy for individuals to copy, store and remove sensitive information without arousing suspicion of theft.
This has also given rise to numerous web-based email services. Almost all of these services provide huge mailbox storage capabilities thereby allowing individuals to email out large extracts of sensitive data bypassing the organisation's secure email systems.
"Almost everybody you ask will tell you that their company has an internal IT Policy which is meant to govern the use of the company's IT Infrastructure. Some of them will tell you exactly where it is stored others will tell you that they remember seeing it many months ago. Those very same people will more than likely also tell you that they have not seen any physical, measurable enforcement of this policy," he explains.
"So how is your policy enforced? Is it with a nice laminated copy of the policy stuck up on walls around the office building, or perhaps regular e-mail warnings sent from top management stating that if any inappropriate information or material is found on the machines it can lead to further disciplinary action."
He says the average staff member is going to do as much as they can possibly do without getting caught. "Many will decide to quickly surf the web to find the latest and greatest MP3's for their personal player before they get to the business task at hand, then once found they will download them on the company. Now because the bandwidth is being used up and it is too slow to send out e-mail correspondence; as they wait for the download to complete they have no option but to play a few card games on their company computers. After all, there are nine hours in a day, we can wait a while before we finish off that assigned task."
"This is why it has become imperative that companies now protect their data, not only from the outsider threat, but more importantly, from the insider attack. It is vital they have an overall data security strategy that covers all potential threats," he concludes.
Today, most organisations already have their external security covered with antivirus, intrusion detection and firewalls. They must now also set up, institute and enforce their internal IT security policy. Data security is an absolute necessity for all organisations to ensure competitive advantage, maintain propriety and customer information, comply with laws and regulations as well as to ensure maximum shareholder benefit.