Employees the Next (Continuing) Big Security Risk?

surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"

crime also goes up

[thermian]

when employees think their employer is treating them like criminals with little more than dubious and extremely general statistics for proof.

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

Re:crime also goes up

[nine-times]

That might be true, but regardless it has always been true that employees have been one of the big security risks for businesses. In one way of dividing things up, security basically falls into two categories: denying access to people who shouldn't have access and preventing those who have access from abusing their access.

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc. The trickier issue is that you have all these employees with access to the money, and if there are no security measures, it wouldn't be hard for a teller to pocket a hundred dollars every now and then. So banks have procedures where the tellers have to do account for the money in their drawers at the end of the day (or whatever the particular procedure is).

So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees. It's a very tricky security issue to deal with, since you can't "plug the hole"-- employees are *supposed* to have access.

And when I talk about dangers that come "indirectly from employees", I mean that they might be the source of a breach even if they aren't themselves criminal or dishonest. I've heard hackers say that often social engineering (i.e. getting an authorized employee to give you access) is easier than actually exploiting any security holes.

Besides the danger of purposeful social engineering attacks, employee carelessness can also leave you exposed. People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!). Also people do things like access a secure webpage in an Internet cafe computer (which might have keyloggers installed for all anyone knows) and then walk out without closing or logging out, or put highly sensitive data on a usb stick and lose it somewhere. Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

So overall, yes, employees are a big potential danger to securing your data. A criminally inclined employee can cause lots of damage, but so can a careless one.

Re:crime also goes up

[Fulcrum+of+Evil]

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

You know, you could just allow iPods - you could even hand out nanos as an onboarding gift. Solves the ripping problem nicely.

Re:crime also goes up

[billcopc]

Nice idea, but there's one problem: iPods break - a LOT! Not just because they're flimsy, but because they get dropped fairly often, and frankly any company property will get abused more than personal items, because "it's not mine so who cares".

In my opinion, people can bring their own music, and I would continue to block Kazaa and any other known P2P services at the network level. Bring a disc full of MP3s if you must, or stream them from home/radio/wherever... but opening up P2P will result in a few undesirable things:

1. It will consume all available bandwidth
2. People will spend a LOT of time searching and downloading
3. Viruses and malware galore!!!

Frankly, if a person can't find a streaming radio station to their liking, and can't be assed to bring their own discs or iPod, well they can go jump off a bridge. It should not be the sysadmin's or employer's problem.

Re:Duh?

[qbzzt]

Exactly. It makes sense that crime by unemployed people goes up in a recession. But the main risk in a company's systems being hacked by insiders. If you have an effective termination process, which includes revoking access, laid off ex-employees are no longer insiders.

However, I'm sure this kind of service is important for some companies, such as Kroll Ontrack, to survive the recession.

Employee's were the first security risk

[Freaky+Spook]

People have been around long before computers, and have always been the biggest risk to business.

Computers have just made it easier for employee's to do more damage, either through malicious intent or just plain negligence.

Having many SMB clients where cost is always placed over security, its scary just how vulnerable many businesses are to their employee's, from even ignoring the most basic security steps like using ACL's to secure files and basic auditing of file access, or even implementing basic password policies like "Do not give your password, to anyone, ever!"

First OnKrack

[Ethanol-fueled]

Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

Trust

[drooling-dog]

Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.

It's a good thing that Knoll Ontrack's employees are all totally uncorruptable, unlike the felons that must work for their clients...

well this is sooo LY

[girlintraining]

So, let me get this straight -- Let's say Super Important Data Stuffs (SIDS) is in a database and as a company you want to protect it. But over 300 employees access that data every day. Evil Bad Hacker comes in and drops a trojan on one of those systems. A few days later, Evil Bad Hacker does a SELECT * FROM... fill in the blank... and in a few minutes it's compressed and uploaded. Super Important Data Stuffs was only 2 GB in size. How does your solution, or any solution, stop this while it's happening? Short answer: It doesn't. But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

You want your data to be less vulnerable? Stop having your servers practice unsafe hex with everyone who happens to be in the building. -_-

Re:Duh?

[idontgno]

Well... revoking access is hypothetically a no-brainer. ("Hypothetically" because it's still shockingly uncommon.)

But a former insider may still know enough about your environment to make an extremely effective blackhat. Not much you can do about that without using a big hammer, a la Catbert, to remove your employee's detailed knowledge before escorting him/her out.

Re:Duh?

[Anthony_Cargile]

Well the article does not say Ex-employees, so that means we should also consider employees still part of the "team" (as my manager puts it).

In a recession, somebody employed yet still enduring paycuts would probably be somewhat disgruntled too, even if not "terminated" per se (but with terminations all around said employee, or the looming fear of termination imminent). An employee with access to something worth anything would still be able to take it and run, and the possibility of him/her doing so in a recesssion/depression with constant paycuts and the constant threat of layoff is rather high, so this is where it gets hairy - how much do you trust your fellow employees? You can't cut present employees' access!

Well, now that I've struck fear into the heart of any employers/administrators reading this, I don't think this recession is quite to that point yet, but it may be something to watch down the road if things keep getting progressively worse.

Hi Guys!

[fuzzyfuzzyfungus]

Worried that people with access to your data might steal it and cost you money? Pay us to have access to your network! Don't worry a bit, our office is staffed by American Professionals(tm) just like the ones you are laying off and worrying about! And never mind the fact that, when the marketing hits the fan, a dead-end schlub earning jack-all to do boring work counts as a Professional(tm) if he is wearing a tie with two or fewer stains!

Seriously. Ok, employees are obviously a potential security risk, they are the ones who have legitimate access to the gates and the keys, of course there is a risk. And, in some cases, you'll get genuinely bad apples, sociopaths, paranoics with bizarre persecution complexes, fred in accounting with the gambling problem, etc. In most cases, though, you are basically just dealing with people. And people will be a lot happier, more productive, and less dangerous if you spend less money on orwellian surveillance consultants and more on them. Does anybody seriously think that an office full of bitter, resentful employees, even under the all-seeing-eye of your consultants is less of a security risk than an office full of more or less satisfied people, with standard, basic, procedures in place(particularly given that, in a lot of cases, somebody with basically no assets can do damage that cannot be repaired and costs more than they could ever repay, even if the lawsuit goes well)?

Re:Duh?

[Red+Flayer]

Good point. I'll add that it doesn't take pay cuts to motivate crime of this nature.

Employees who feel their jobs becoming less secure may decide to take out an insurance policy while they still have access to the important data.

Regardless of how you treat your employees, regardless of how secure their jobs are, in a crappy economy they may feel that their jobs are insecure, and that may lead them to the dark side.

Having good security standards and processes will lessen your exposure. Maintaining employee morale will lessen your exposure. In the end, though, as long as one person has access to critical data, there is risk of the data being misused.

A back-to-front mentality

[golodh]

The opening post breathes a mentality which seems to pervade US firms. It runs approximately as follows:

(1) view employees purely as resources (about on level with the printers and the staples)

(2) use every possible means to make their job manageable for the Human Resources department (which is shorthand "define all tasks in such a way that every individual instantly plug-replaceable by (a) your average worker in the job market with his job title and (b) any of his colleagues, actively remove any individuality, and rather waste someone's talents than allow him to enrich his job")

(3) use HRM to "Dynamically contribute to optimization of enterprise processes and results" (translation: hire people when they are marginally qualified for their job and let their colleagues educate them, fire 'em the instant they become overqualified and aren't immediately placeable in a higher function, or if they show signs of become tired, bored, jaded, cynical, or if they catch on to what Human Resource Management really means for them)

(4) use an elaborate system of "who reports to whom", physical access checks and "security" guards, to ensure that people are total strangers in the company they work for with the sole exception of the department they work (this enhances "security")

(5) determine scientifically that your employees may spontaneously become disgruntled and hostile towards the company they work for (or after being fired)

(6) determine that the company urgently needs to protect itself from the consequences of its employees becoming disgruntled and hostile

(7) further plan employees jobs and tighten "security" so that the amount of damage any disgruntled individual below the rank of executive can do is reduced to an acceptable minimum.

The final step (8) is to spend good money to outsource security and workflow monitoring to establish tight restrictions on what employees can mess up before being physically apprehended. Outside firms have nice glossy brochures that provide your board with plenty of reasons why employees should be treated as detainees rather than as collaborators. Recommending specialized outside firms to cover specific areas of employee containment definitively establishes you as a savvy and professional manager (and keeps you in line for that end-year performance bonus).

On the other hand, the suggestion of actually treating employees as if they were collaborators confuses simple PR slogans meant for glossy company brochures with actual management. Expecting people to behave civilly when treated like people is naive in the extreme and something no manager with an ounce of professionalism should sully himself with.

Recognize this mindset? I foresee that work-flow monitoring will become a growth industry.

Re:A back-to-front mentality

[owlnation]

Mod parent insightful.

So very true. Human Resources Departments are the biggest single barrier to progress on Earth. They are often filled with defective individuals with all sorts of complexes and psychological problems (I wander what percentage of HR workers are clinically obese? High, I'd think). Nobody, nobody, ever wanted to grow up to work in HR. You only work there if you can't do much else.

They are holding employees back, they are holding whole corporations back back hiring people who fit into check lists. They are holding back invention by homogenizing the workplace.

No small wonder employees steal.

Written by a someone who says CEOs get more

[WillAffleckUW]

This reads like something written by someone trying to justify even higher pay for CEOs and Execs who are already too highly paid.

Seriously, your risk factor decreases the less pay you give your senior staff and the more employees think they are valued as contributing to the company, instead of wage serfs that work for the Pharoah (oops, CEO).

I've had senior execs ask me to destroy data that shouldn't be destroyed - and I've made sure it got copied. A lawyer would say I stole the data - a smart tech would realize I was trying to keep it safe from management incompetence.