Employees the Next (Continuing) Big Security Risk?

surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"

Duh?

[eln]

Summary of story:

1.) Crime goes up when the economy goes into the tank and people start losing their jobs. Shocking, I know.
2.) There are plenty of security companies willing to scare your pants off in order to sell you expensive monitoring services. They will gladly use the statistic above to those ends.

Oh yah, and we'll throw a "cyber" prefix in front of "crime" to make this look like something new and different.

Re:Duh?

[qbzzt]

Exactly. It makes sense that crime by unemployed people goes up in a recession. But the main risk in a company's systems being hacked by insiders. If you have an effective termination process, which includes revoking access, laid off ex-employees are no longer insiders.

However, I'm sure this kind of service is important for some companies, such as Kroll Ontrack, to survive the recession.

Re:Duh?

[Anthony_Cargile]

Well the article does not say Ex-employees, so that means we should also consider employees still part of the "team" (as my manager puts it).

In a recession, somebody employed yet still enduring paycuts would probably be somewhat disgruntled too, even if not "terminated" per se (but with terminations all around said employee, or the looming fear of termination imminent). An employee with access to something worth anything would still be able to take it and run, and the possibility of him/her doing so in a recesssion/depression with constant paycuts and the constant threat of layoff is rather high, so this is where it gets hairy - how much do you trust your fellow employees? You can't cut present employees' access!

Well, now that I've struck fear into the heart of any employers/administrators reading this, I don't think this recession is quite to that point yet, but it may be something to watch down the road if things keep getting progressively worse.

Re:Duh?

[Red+Flayer]

Good point. I'll add that it doesn't take pay cuts to motivate crime of this nature.

Employees who feel their jobs becoming less secure may decide to take out an insurance policy while they still have access to the important data.

Regardless of how you treat your employees, regardless of how secure their jobs are, in a crappy economy they may feel that their jobs are insecure, and that may lead them to the dark side.

Having good security standards and processes will lessen your exposure. Maintaining employee morale will lessen your exposure. In the end, though, as long as one person has access to critical data, there is risk of the data being misused.

crime also goes up

[thermian]

when employees think their employer is treating them like criminals with little more than dubious and extremely general statistics for proof.

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

Re:crime also goes up

[Chris+Burke]

Maybe in some cases, but I actually commit less crime when my company treats me like a criminal, since I figure I don't need to work as hard to get the point across anymore.

Re:crime also goes up

[nine-times]

That might be true, but regardless it has always been true that employees have been one of the big security risks for businesses. In one way of dividing things up, security basically falls into two categories: denying access to people who shouldn't have access and preventing those who have access from abusing their access.

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc. The trickier issue is that you have all these employees with access to the money, and if there are no security measures, it wouldn't be hard for a teller to pocket a hundred dollars every now and then. So banks have procedures where the tellers have to do account for the money in their drawers at the end of the day (or whatever the particular procedure is).

So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees. It's a very tricky security issue to deal with, since you can't "plug the hole"-- employees are *supposed* to have access.

And when I talk about dangers that come "indirectly from employees", I mean that they might be the source of a breach even if they aren't themselves criminal or dishonest. I've heard hackers say that often social engineering (i.e. getting an authorized employee to give you access) is easier than actually exploiting any security holes.

Besides the danger of purposeful social engineering attacks, employee carelessness can also leave you exposed. People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!). Also people do things like access a secure webpage in an Internet cafe computer (which might have keyloggers installed for all anyone knows) and then walk out without closing or logging out, or put highly sensitive data on a usb stick and lose it somewhere. Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

So overall, yes, employees are a big potential danger to securing your data. A criminally inclined employee can cause lots of damage, but so can a careless one.

Re:crime also goes up

[Belial6]

Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

Companies could go a long way in avoiding this kind of behavior if they didn't fall for the false dichotomy of "Access to everything" and "Work is supposed to suck". I know you didn't say it, but these kinds of articles always bring out the admins that recommend that every machine should be locked down to the point of basically being a kiosk often actually preventing people from doing their job, and rationalize that since "it's the companies" computer, it cannot be used to make work a place people want to go.

This always gives me images of the bad boss from 9 to 5. After all, how much different is it for a real live admin to tell an office worker that they can't have a picture of their family on their desktop than the fictional manager who told the characters in the movie that they cannot have pictures of their family on their... desktop?

Businesses regularly spend money to try to make their business a 'good place to work'. There is a huge amount of safe area between "full access to anything" and "treat it like a bank vault". The PC is one of the least expensive ways to improve a work environment. A $2 set of headphones, or even just making sure that the CD drive can play music and let the employee bring their own headphones goes a long way to improving a work environment. Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company". If you take the later route, you have a much higher risk of employees just ignoring the rules and going with Kazaa. Heck, the people that feel they MUST get music from Kazaa will still be safer in that they are more likely to do the downloading from home, and sanitize the files by first converting them to standard CD format, before bringing them to work and re-ripping them.

Instead of trying to prevent employees from accessing the internet, give them access to virtual machines that have no access to the company network. This makes the path of least resistance be not being a security risk, instead of encouraging people to try and circumvent the companies security AND making work a crappy place to be.

Employee's were the first security risk

[Freaky+Spook]

People have been around long before computers, and have always been the biggest risk to business.

Computers have just made it easier for employee's to do more damage, either through malicious intent or just plain negligence.

Having many SMB clients where cost is always placed over security, its scary just how vulnerable many businesses are to their employee's, from even ignoring the most basic security steps like using ACL's to secure files and basic auditing of file access, or even implementing basic password policies like "Do not give your password, to anyone, ever!"

First OnKrack

[Ethanol-fueled]

Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

Trust

[drooling-dog]

Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.

It's a good thing that Knoll Ontrack's employees are all totally uncorruptable, unlike the felons that must work for their clients...

Obviously the right answer...

[afrop]

You're concerned that your employees or former employees will attempt to exploit their insider status to commit crimes against you. The most natural and obvious answer is to hire an entirely separate company, with a whole additional set of employees, and give them insider access to your network.

A back-to-front mentality

[golodh]

The opening post breathes a mentality which seems to pervade US firms. It runs approximately as follows:

(1) view employees purely as resources (about on level with the printers and the staples)

(2) use every possible means to make their job manageable for the Human Resources department (which is shorthand "define all tasks in such a way that every individual instantly plug-replaceable by (a) your average worker in the job market with his job title and (b) any of his colleagues, actively remove any individuality, and rather waste someone's talents than allow him to enrich his job")

(3) use HRM to "Dynamically contribute to optimization of enterprise processes and results" (translation: hire people when they are marginally qualified for their job and let their colleagues educate them, fire 'em the instant they become overqualified and aren't immediately placeable in a higher function, or if they show signs of become tired, bored, jaded, cynical, or if they catch on to what Human Resource Management really means for them)

(4) use an elaborate system of "who reports to whom", physical access checks and "security" guards, to ensure that people are total strangers in the company they work for with the sole exception of the department they work (this enhances "security")

(5) determine scientifically that your employees may spontaneously become disgruntled and hostile towards the company they work for (or after being fired)

(6) determine that the company urgently needs to protect itself from the consequences of its employees becoming disgruntled and hostile

(7) further plan employees jobs and tighten "security" so that the amount of damage any disgruntled individual below the rank of executive can do is reduced to an acceptable minimum.

The final step (8) is to spend good money to outsource security and workflow monitoring to establish tight restrictions on what employees can mess up before being physically apprehended. Outside firms have nice glossy brochures that provide your board with plenty of reasons why employees should be treated as detainees rather than as collaborators. Recommending specialized outside firms to cover specific areas of employee containment definitively establishes you as a savvy and professional manager (and keeps you in line for that end-year performance bonus).

On the other hand, the suggestion of actually treating employees as if they were collaborators confuses simple PR slogans meant for glossy company brochures with actual management. Expecting people to behave civilly when treated like people is naive in the extreme and something no manager with an ounce of professionalism should sully himself with.

Recognize this mindset? I foresee that work-flow monitoring will become a growth industry.

Kevin Mitnik is correct

[Orion+Blastar]

the weakest link in any computer security are human beings.

I remember reading how some AOL employee took 26 CD-R disks, each one filled with a letter of the alphabet of data tables of AOL customers with phone numbers, addresses, bank accounts, and credit card numbers and passwords. He tried to sell it for millions but got busted by the FBI.

When I worked for a law firm, there was a department called Litigation Support that changed its name to Technology Services and competed with Information Systems. I was the main developer on a lot of software programs. My machine kept blue screening and crashing, and I installed Black Ice because it looked like someone was sending me the ping of death and ping floods. Black Ice traced the attacks to Technology Services PC systems. When I reported the fact to my boss, he told me to take Black Ice off my system. Then it started crashing again. Eventually it stopped, but I had missed a few deadlines because my computer would crash or freeze up or lose the network connection, and it wasted my time trying to develop programs. Later on I got a bad performance review, but my boss refused to listen to me about hacker type attacks from TS directed at my IP address, despite the proof I had from Black Ice logs. Apparently I think my boss was in on the sabotage because I earned too much money and they wanted an excuse to get rid of me. It really stressed me out, and I had to go on short-term disability and had to suffer from emotional and psychological abuse from coworkers and managers. I developed schizoaffective disorder, and once I came back to work, two weeks later I was fired for being sick on the job. But it all started with denial of service attacks on my IP address.