We usually think of our IT defences as tools for keeping the outside world at bay. With this siege mentality, based on threats posed by barbarians beyond the gates, it’s very easy to forget about the enemy within: our own employees. And when they’re not wreaking havoc themselves, internal staff are
instigating breaches of security that leave the drawbridge down long enough to let the bad guys dance right in.
Simon Tang, Toronto-based senior manager of Deloitte & Touche LLP’s Security Services group, provides us with five ways your own troops can put holes in your defences.
- Inside snoops. Some people just can’t resist temptation when they get a chance to see what’s in a coworker’s pay package. Privacy laws aren’t just for protecting the data of customers. Employees are entitled to protection as well, even from each other. Because benefits plans usually mean that medical and other confidential personal data are lurking in your IT system, strenuous protection is needed from those nosy people who are not fully authorized to access it but do anyway.
Confidential corporate data also requires protection from internal prying. Contracts in progress, financial info, internal marketing documents — they are all tied to a company’s competitive edge and profitability. The threat of corporate espionage is real, and collection of the data is often an inside job.
- Data meddling.How many films show the class geek trying to impress the head cheerleader by hacking into the school computer system and boosting her math mark? In the corporate world, the same cyber geek can gain authorized access to his company’s data and tweak numbers, language in financial systems, payroll records and other sensitive information. He can give himself a pay raise or cut himself a cheque for nonexistent travel expenses. Or he can act maliciously against a coworker or the company as a whole, by corrupting crucial information.
- Lowering the drawbridge.Corporate IT networks are often a lot faster than an employee’s Internet connection at home, tempting them to upload and download all sorts of bulky files such as photos, video clips and music, at work. This is a security nightmare. They may be not only indulging in illegal behavior, such as trading in child pornography, but in the process of file-sharing and browsing unauthorized Web sites, they can unwittingly introduce viruses. One company was recently infected by a worm that erased all Excel and PowerPoint files on its network. It’s a pretty steep price to pay for having one employee who wanted an mp3 of The Archies’ “”Sugar Sugar.””
- Personal time on the company line. Beyond the sort of high-risk behaviors mentioned in item three, employees can hijack IT resources for their own ends. In the same way a father might have photocopied flyers for his kid’s T-ball league in the past, people have been known to run complete businesses using corporate resources. Other activities that chew up IT resources and expose the company to potential liability include sending spam e-mails, selling products on-line and running a find-a-mate service.
- Your IT network as a hollowed-out volcano. Every Dr. Evil needs a secret lair. Your network could be it. Employees can use it to conduct mojo-deflating attacks on others on the Internet. If the source of an attack like a distributed denial of service can be traced to you, your company is liable and you may not be able to finger the employee responsible.