Eyes Wide Shut

In 1999, personal information about Air Miles rewards cardholders found its way off the company’s servers and into the hands of third-parties. From 2001 until 2004, personal account information about CIBC customers was leaked by fax to outside companies without their consent. Also last year, a financial planner’s laptop containing personal information about 960 customers was stolen from his car.These were serious breaches of security, but they had nothing do with digital miscreants on the electronic frontier. Indeed, only the Air Miles case, where the information was on an unprotected server partition, had anything to do with computer networks. What they have in common is that all three breaches were the result of employee misconduct or bungling.
“(The CIBC case) shows in particular is that, even though the bank had policies and rules in place, where they fell down was in the education of users,” says Joe Greene, vice-president of IDC Canada. “The key is that you certainly need practices and procedures, but you also need your employees to follow them. The best security technology in the world does little good if they don’t.”
Indeed, employees are often the weak link in the security chain. According to the Computer Crime Survey published jointly by the Computer Security Institute and the FBI, the losses estimated by 486 corporate respondents from wireless network and employee internet abuses totaled almost $21 million (US) in 2004. That might not seem like a lot in the grand scheme of global business, but it’s almost as much as the losses estimated from hacker denial of service attacks in the same period.
The bottom line — and security is always about the bottom line — is that employees have to know what’s expected of them. More to the point, companies have to be sure that their employees are living up to these expectations. If malware and viruses can find their way into the enterprise network, or privileged information can find its way out through the inadvertent actions of a guy in the accounting department, then those actions have to be stopped before it happens.
“I don’t think users are doing things to jeopardize security on purpose,” says In-Stat research analyst Victoria Sodale. “They’re just curious. Sometimes they come across a phishing message so weird that they just have to click through. They have to be educated so that they don’t.”
That’s cold comfort with companies facing increasingly stringent liability. The Sarbanes-Oxley act in the U.S. has made corporate executives personally accountable for information practices. Canada’s federal privacy commissioner found the financial planner’s bank responsible for his inability to ensure the physical security of his data-laden laptop under the Personal Information Protection and Electronic Documents Act.
When it comes to security, no company in Canada or the U.S. can sit with its eyes wide shut. Governance has become a particularly important, even the critical part of security. “It’s broader than just security,” Sodale says. “It’s not just making sure that you have it, but also that it’s documented and enforced.”
To do that, companies have to begin at the beginning, Greene says. “It starts with an audit that comes to grips with the rules that apply to the company,” he says. “Then, it examines what procedures and technologies you have in place to help adhere to them.”
Forewarned is forearmed. Greene says the audit has to look long and hard at compliance issues, both with company policies and with regulatory requirements. “Starting there, you can quickly come to some kind of consciousness about whether employees are educated about security practices,” he says. While he doesn’t believe separate user agreements are necessary in most enterprises, Greene nevertheless points out that employee contracts should detail company policy concerning corporate information and system use.
That said, the real task is to ensure that employee computer use does comply with these policies. Greene says that, while it’s difficult to keep track of every employee’s every mouse click at all times, there are some technological solutions. One of the most pressing issues, however, is e-mail.
“What is really scary is that something like 75 to 80 per cent of a company’s intellectual property comes through e-mail,” Sodale says. “Although there are technologies like e-mail firewalls and add-ons to Exchange and Lotus Notes, the e-mail content itself has been ignored in the emphasis on perimeter security measures like firewalls.”
Apart from e-mail encryption, Greene notes that there is a new generation of tools that gives companies greater control of how their employees use this most pervasive network technology. “We’re starting to see e-mail content management coming to the fore, like Entrust’s Secure Messaging Solution,” he says. “There’s also rules-based filtering for e-mail containing sensitive information.”
The other big issue when it comes to employee system use is what they do when they’re not in the office. Companies are increasingly encouraging employees to take their work home. The upside is increased productivity, but the downside is that, outside of the firewall, enterprise security technologies aren’t much help. “That all comes down to education, policies and procedures,” he says. “If you’re going to allow an employee to take a PC home, it has to be checked and scanned for viruses and malware. I don’t think companies are doing that but, like anything else involving security, they have to start paying attention to how employees are using their technology assets.”
At the end of the day, after all, what you don’t know can certainly hurt you.