Employees cost SAA R14m -- what does it cost your company?
Employees are becoming one of the largest security threats as data becomes more valuable to syndicates worldwide.
Recent reports show how a Nigerian syndicate infiltrated the South African Airways and colluded with its call centre staff in scamming thousands of unsuspecting customers.
According to forensic investigators, between January and August 2006, call centre staff at flysaa.com helped the syndicate to process 1 949 fraudulent transactions, costing the national carrier more than R14 million.
J2 Software managing director John Mc Loughlin points to the security threats that the Internet has brought about. "Statistics show that 70% to 80% of theft relating to sensitive data and information originates from within organisations. Intellectual property and customer information, gained through many years of hard work and normally at a huge cost, can now easily be taken out of the organisation by means of e-mail without anyone knowing that data theft has taken place."
In today's Information Age, most sensitive data and information is stored electronically, thereby making it relatively easier to access. Often access to such sensitive data is required to be provided to a group of internal staff for the sake of ongoing business operations. However, in today's competitive world, no staff member is really permanent. It is not often guaranteed that all personnel are loyal and content and would not seek other forms of profit.
Due to this, there exists a ready market for the purchase of sensitive information, especially relating to an organisation's customer data, product strategies, channel information and various other data that competitors or others would be more than ready to buy for a price.
With the advent of mobile technologies and removable devices it has become extremely easy for the outbound movement of data from within the previously assumed secure confines of an organisation. Mobile phones, USB thumb drives, DVD/CD drives, Disk on Key (DOK) devices are freely available at affordable prices that make it easy for individuals to copy, store and remove sensitive information without arousing suspicion of theft.
This has also given rise to numerous Web-based e-mail services. Almost all of these services provide huge mailbox storage capabilities, thereby allowing individuals to e-mail out large extracts of sensitive data bypassing the organisation's secure e-mail systems.
"Almost everybody you ask will tell you that their company has an internal IT policy which is meant to govern the use of the company's IT infrastructure. Some of them will tell you exactly where it is stored, others will tell you that they remember seeing it many months ago. Those very same people will more than likely also tell you that they have not seen any physical, measurable enforcement of this policy," he explains.
"So how is your policy enforced? Is it with a nice laminated copy of the policy stuck up on walls around the office building, or perhaps regular e-mail warnings sent from top management stating that if any inappropriate information or material is found on the machines it can lead to further disciplinary action?"
"This is why it has become imperative that companies now protect their data, not only from the outsider threat, but more importantly, from the insider attack. It is vital they have an overall data security strategy that covers all potential threats," he concludes.
Today, most organisations already have their external security covered with anti-virus, intrusion detection and firewalls. They must now also set up, institute and enforce their internal IT security policy. Data security is an absolute necessity for all organisations to ensure competitive advantage, maintain propriety and customer information, comply with laws and regulations as well as to ensure maximum shareholder benefit.