Guarding Against the Threat from Within
You’ve installed protective software, adjusted your hardware, and developed a range of new office policies, all in the name of protecting your computer networks and systems from hackers, phishers, and scammers. Externally, your system seems protected.
But what are you doing to prevent an inside job? Do outgoing or disgruntled employees, or on-site contractors, have too much access to your company’s top-secret data?
The answer could well be yes. According to a March 2006 Enterprise Strategy Group survey of 227 IT professionals, “employees and on-site contractors were cited as the most likely threat to confidential data security.” They even outranked concerns over off-shore outsourcers and random hackers. A separate 2005 study by PriceWaterhouseCoopers found that 33 percent of all security breaches involved current employees, and another 28 percent involved former employees or former partners.
And the stakes are high: According to those surveyed, up to 50 percent of the data used in their offices could be considered confidential.
The survey warned that while many companies use gateway filtering technologies to protect their network perimeter, they are much less likely to have adopted access controls and other policies to protect their systems from within.
What can your company do to protect itself inside and out? For answers, IncTechnology.com looked up Kevin Mitnick, the former hacker-turned-IT security consultant. Mitnick, who served jail time in the 1990s for illegally gaining access to computer networks, now runs his own small business, Mitnick Security LLC, in Las Vegas, Nev., and helps firms address IT security problems.
Have a plan
The first step is to create a company-wide policy. Ideally, this policy should include “physical, technical, and human factor elements,” says Mitnick. For example, terminated employees should immediately lose access to not only the physical office, but to the computer network as well.
Develop access controls
In smaller businesses in particular, almost anyone in the company can access any data they choose. Eliminate this risk by setting up internal firewalls, Mitnick says, “so that sales people can’t access the payroll.” Through the operating system, set restrictive missions on files and directories or certain information, and allow only select employees access to it.
Keep your OS up to date
Mitnick notes that a lot of companies, especially smaller ones on a budget, don’t update their computer operating systems often enough. “I’ve seen businesses still using Windows 2000,” he says. The newer systems, especially Vista, have better access-control options.
New password policies
Don’t let employees share passwords, Mitnick warns. “And don’t post passwords on Post-it notes in your office,” he adds. In fact, for very small offices with less than 20 employees, Mitnick recommends that all employees change their passwords every time a person leaves the company. Larger companies might consider changing out passwords periodically, or developing additional passwords for sensitive information. Whether passwords get changed or not, however, terminated employees should lose their access to the network immediately.
Monitor employee computer use
If an employee has put in notice to leave the company -- on pleasant terms or not -- your IT staff should start watching their computer habits. “Most employees take work product,” says Mitnick. IT staff should watch for e-mails the employee might be sending him or herself, e-mails that the employee’s friends within the company might be sending to them, or downloads to CDs, DVDs, or iPods. In addition, companies should block employee access to free storage sites, such as Yahoo’s Briefcase, notes securityinfowatch.com.
Seek out help
If your business, or simply your IT department, is too small to handle this type of project, consider hiring a consultant or VAR to help put a system in place, says Mitnick. With luck, taking these steps will help you to protect your computer networks inside and out.