The threats within
Most companies view security threats from an outside-in perspective. How can we protect our corporate computing environment from risks and threats from the outside world?
Organisations configure firewalls, IT intrusion detection systems, and implement a whole host of security devices, in an attempt to stop intruders and malware from entering their corporate network. There are, however, significant emerging threats to security that are not being introduced from external, unknown sources, but from employees themselves. This "threat from within" is one of the greatest IT security challenges businesses face and one of the hardest to protect against.
There is a wealth of independent information available that reveals businesses are simply not taking the necessary precautions to protect themselves from the risks their employees pose. McAfee commissioned a Europe-wide survey in late 2005 to find the extent of the problem, from the perspective of employees rather than employers. The findings are extremely insightful - some of the key points are covered in the paragraphs below.
Across Europe, one in five workers lets family and friends use laptops/computers to access the Internet. Especially worrying when you consider that 42% of parents don`t review the content of what their teens read/type in chatrooms or via instant messaging. Employee negligence means there is a high risk of malware, viruses, worms and Trojans being spread to the work network. It only takes seconds for an employee to attach an unprotected laptop or PDA to the work network and seriously expose the whole environment to infection. Few have any idea that their company laptop may not have the latest security updates.
Workers are also bypassing their company security procedures by attaching their own devices, such as iPods, USB sticks and digital cameras. On average, each security incident costs about 45 000 euros (more the R256 000), and it only takes a single incident to cause widespread devastation. Despite this, 66% of companies have no plans to deploy relevant countermeasures.
The security threats posed to businesses by their own employees highlights the pressing need for companies to adopt more robust security systems. In a recent Datamonitor (commercial/consumer research firm) survey, 46% of companies claimed rogue systems had been the source of a corporate infection. "Rogue systems" refer to unidentified, unaccounted for and unmanaged systems with access to the corporate network, such as employee mobile devices and laptops.
Datamonitor found some respondents reported that this accounted for more than 50% of infections over the last 12 months. Both the McAfee survey and other independent findings point towards the need to identify the types of employees to watch out for and to put in place best practice to enable businesses to address these security challenges head on.