Our advice: It was bound to happen sooner or later. The people who are mounting these "phishing" campaigns are interested in acquiring sensitive consumer information for nefarious purposes. Think of the new attacks as a form of credit-card fraud on a massive scale. Now that serious business is transacted on the Web and there's money to be made, the criminal element eventually was going to start exploiting the vulnerabilities of the medium. Until recently, most of the holes were found and patches made available before there were any organized attacks, but that was more luck than foresight on the part of the computer security community. The user community usually hasn't been so well-prepared. The latest attacks represent a more worrisome trend.
In the end it's a race between the crackers and everyone else. Yes, Internet Explorer is full of vulnerabilities that criminal elements are actively exploiting, but switching to an alternate browser just to avoid the current set of security holes won't solve your security problem. Investing in some top-quality security systems, good staff training, and clear escalation procedures when the attacks do come will protect you far better than disrupting your entire staff by moving to another browser.
-- Beth Cohen
Question C: How do we keep sensitive information from walking out the door on high-capacity, thumb-size USB storage devices?
Our advice: This problem isn't a new one. Companies have always had to deal with the challenge of the loss of sensitive data, whether in the form of handwritten notes, printed material, downloaded data, diskette copies, E-mailed information, or burned CDs. What's new about this challenge, however, is that it has become progressively easier for a disgruntled worker to deliberately, or for a nondisgruntled worker to accidentally, take larger quantities of valuable information, such as design sheets, customer records, or employee information, and pass it along to competitors, suppliers, and others.
From a people perspective, the key lies in developing a culture where information is respected and data is considered sacrosanct, and communicating the importance of adhering to strict intellectual-property protection policies. Instituting a whistleblower-protection program will help bring to the attention of senior management possible unscrupulous or underhanded dealings of employees with possible competitors, vendors, and the like.
From a physical security perspective, it's possible to do random bag-checks and other forms of screening for such devices as diskettes, CDs, and thumb-size USB storage devices. However, the biggest challenge with this is that in a typical organization it isn't possible to screen everyone who enters and leaves, and many employees and visitors will likely find it offensive that management resorted to such distasteful measures. This will be perceived (correctly) as mistrust and will likely result in causing some workers to become disgruntled and thereby find innovative means of getting information out. In addition, it's virtually impossible to train the security staff in all the new USB storage devices that are entering the market, such as executive storage pens, storage watches, and Swiss Army drives.
From an information-security perspective, the organization needs to be cognizant and careful about granting access to sensitive pieces of information to employees. Access to design specifications, data sheets, customer records, and employee information is best kept limited to those whose jobs require them to have it. Others must be locked out of such data using information-security policies and procedures such as system passwords, database security, and application security. The likelihood of data pilferage declines substantially when one or more of these methods is put into place in an organization.
Finally, from a legal perspective, how does the company protect itself in the event of the loss of such data? This boils down to the intellectual-property protection policies that the organization has put in place through patents, trademarks, and copyrights, as well as the legal protection the company has in terms of confidentiality agreements and privacy policies. Ideally, an organization wouldn't need to resort to such measures as taking legal action against an employee. However, should the need arise, the organization is better off taking action sooner rather than later.
-- Sanjay Anand
David Foote, TAC Thought Leader, has more than 20 years of experience in technology, including 13 years as an analyst and consultant at Gartner, Meta Group, and Foote Partners, where he's co-founder, president, and chief research officer. His specialties include a range of private and public-sector IT management practices and workforce trends, offshore sourcing and strategic resource management, enterprise project delivery, organizational transition and transformation, and IT compensation. His editorial opinion columns, articles, and contributions appear in a variety of business, IT, and HR publications, and he appears on radio, television, and global Webcasts.
Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.
Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process-management experience as a strategic adviser, certified consultant, professional speaker, and published author. More than 100 personal clients, both large and small, have included companies from an array of industries and geographies, from academia to technology. He's often referred to as a "consultant's consultant" for his training and mentoring skills. He was the creator of Asia's first best-selling computer-assisted learning software package at the age of 17.