The Threat Within: Employees Pose The Biggest Security Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


The Threat Within: Employees Pose The Biggest Security Risk

The No. 1 tactical security priority for U.S. companies in 2007, according to 37% of respondents, is creating and enhancing user awareness of policies. But this is down from 42% in 2006.

Put simply, the end user is the biggest issue when it comes to IT security, says Mark Loveless, white-hat hacker who goes by the handle "Simple Nomad."

It's a concern echoed throughout InformationWeek Research's 10th annual Global Information Security survey, conducted with consulting firm Accenture. Survey results indicate that simply educating employees and partners about a company's security policies isn't sufficient to keep generally honest people from letting customer information leak out through e-mails, instant messages, and peer-to-peer networks. While the No. 1 tactical security priority for U.S. companies in 2007, according to 37% of respondents, is creating and enhancing user awareness of policies, this is down from 42% in 2006.

"They'll click on anything, and if anything slows them down, they'll short cut it," said Loveless, whose day job is as a senior security researcher with network security provider Vernier Networks, in an interview. "End users are given massively complex systems with a happy interface over it, and to make it easy for them to do their job, a lot of the controls are disabled or nonexistent.

"The problem is that you have a sophisticated attack vector, Windows, that they're all using, so you have commonality," he said. "From an attacker's standpoint, it's great. If I develop a Windows exploit all I have to do is get one of these users to click on it."

And, even when users aren't making such obvious mistakes, they're still sitting ducks for attackers looking to exploit the user's lack of knowledge of how their computers work. Loveless once worked for a company that brought most of its employees to attend a major software conference. "Because it was such a big deal, some of the people were issued loaner laptops to use so they could work at the show," he said. "Unfortunately, some of these loaner laptops were missing security upgrades. When the users logged on to the public IP addresses with these under-patched machines, we were seeing three or four attacks against them simultaneously. We're talking active attempts to run an exploit against these systems. One of the laptops was owned within 10 minutes."

Loveless and his team were able to kick off the attackers and then hastily erect a firewall to protect the laptops. But it was a classic example of an end user not realizing the security dangers they faced in a hostile environment like a hotel network.

Of course, Loveless said, it's not always the end user's fault, not even in the example he provided. Users are being handed a piece of equipment that wields tremendous power and, at the same time, has tremendous vulnerabilities and lots of enemies. "The upper hand belongs entirely to the bad guys," he said. "They have unlimited time and unlimited resources to do these things."

Unfortunately, there's no easy way to keep users from becoming their own worst enemy. Loveless suggested starting off small when it comes to user security training and moving slowly. "One thing to do is teach the user one thing per year. Spend your budget teaching (and reminding) them to write good passwords and to protect those passwords. The next year, focus on e-mail attachments."

Of the U.S. respondents who say their companies monitor employee activities, 51% monitor e-mail use, 40% monitor Web use, and 35% monitor phone use, roughly consistent with last year's findings. However, other sources of data leakage are given less attention: Only 29% monitor instant messaging use, 22% the opening of e-mail attachments, and 20% the contents of outbound e-mail messages. And only a handful keep a close eye on the use of portable storage devices.

Only 19% of respondents say that security technology and policy training will have a significant impact on alleviating employee-based security breaches, the same percentage as last year.

Behind the scenes, IT security pros need to make sure security measures are automated and proactive, Loveless said. Don't rely on the users to protect themselves. And never forget, "whenever a box pops up on the screen, a user will click 'OK' because the makes the box goes away," he added. It's this kind of mentality that ensures security pros will always have a job.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
8 AI Trends in Today's Big Enterprise
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2019
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll