News
News
7/15/2007
08:20 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

The Threat Within: Employees Pose The Biggest Security Risk

The No. 1 tactical security priority for U.S. companies in 2007, according to 37% of respondents, is creating and enhancing user awareness of policies. But this is down from 42% in 2006.

Put simply, the end user is the biggest issue when it comes to IT security, says Mark Loveless, white-hat hacker who goes by the handle "Simple Nomad."

It's a concern echoed throughout InformationWeek Research's 10th annual Global Information Security survey, conducted with consulting firm Accenture. Survey results indicate that simply educating employees and partners about a company's security policies isn't sufficient to keep generally honest people from letting customer information leak out through e-mails, instant messages, and peer-to-peer networks. While the No. 1 tactical security priority for U.S. companies in 2007, according to 37% of respondents, is creating and enhancing user awareness of policies, this is down from 42% in 2006.

"They'll click on anything, and if anything slows them down, they'll short cut it," said Loveless, whose day job is as a senior security researcher with network security provider Vernier Networks, in an interview. "End users are given massively complex systems with a happy interface over it, and to make it easy for them to do their job, a lot of the controls are disabled or nonexistent.

"The problem is that you have a sophisticated attack vector, Windows, that they're all using, so you have commonality," he said. "From an attacker's standpoint, it's great. If I develop a Windows exploit all I have to do is get one of these users to click on it."

And, even when users aren't making such obvious mistakes, they're still sitting ducks for attackers looking to exploit the user's lack of knowledge of how their computers work. Loveless once worked for a company that brought most of its employees to attend a major software conference. "Because it was such a big deal, some of the people were issued loaner laptops to use so they could work at the show," he said. "Unfortunately, some of these loaner laptops were missing security upgrades. When the users logged on to the public IP addresses with these under-patched machines, we were seeing three or four attacks against them simultaneously. We're talking active attempts to run an exploit against these systems. One of the laptops was owned within 10 minutes."

Loveless and his team were able to kick off the attackers and then hastily erect a firewall to protect the laptops. But it was a classic example of an end user not realizing the security dangers they faced in a hostile environment like a hotel network.

Of course, Loveless said, it's not always the end user's fault, not even in the example he provided. Users are being handed a piece of equipment that wields tremendous power and, at the same time, has tremendous vulnerabilities and lots of enemies. "The upper hand belongs entirely to the bad guys," he said. "They have unlimited time and unlimited resources to do these things."

Unfortunately, there's no easy way to keep users from becoming their own worst enemy. Loveless suggested starting off small when it comes to user security training and moving slowly. "One thing to do is teach the user one thing per year. Spend your budget teaching (and reminding) them to write good passwords and to protect those passwords. The next year, focus on e-mail attachments."

Of the U.S. respondents who say their companies monitor employee activities, 51% monitor e-mail use, 40% monitor Web use, and 35% monitor phone use, roughly consistent with last year's findings. However, other sources of data leakage are given less attention: Only 29% monitor instant messaging use, 22% the opening of e-mail attachments, and 20% the contents of outbound e-mail messages. And only a handful keep a close eye on the use of portable storage devices.

Only 19% of respondents say that security technology and policy training will have a significant impact on alleviating employee-based security breaches, the same percentage as last year.

Behind the scenes, IT security pros need to make sure security measures are automated and proactive, Loveless said. Don't rely on the users to protect themselves. And never forget, "whenever a box pops up on the screen, a user will click 'OK' because the makes the box goes away," he added. It's this kind of mentality that ensures security pros will always have a job.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.