Employees the Next (Continuing) Big Security Risk?

surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"

Duh?

[eln (21727)]

Summary of story:

1.) Crime goes up when the economy goes into the tank and people start losing their jobs. Shocking, I know.
2.) There are plenty of security companies willing to scare your pants off in order to sell you expensive monitoring services. They will gladly use the statistic above to those ends.

Oh yah, and we'll throw a "cyber" prefix in front of "crime" to make this look like something new and different.

Re:Duh?

[qbzzt (11136)]

Exactly. It makes sense that crime by unemployed people goes up in a recession. But the main risk in a company's systems being hacked by insiders. If you have an effective termination process, which includes revoking access, laid off ex-employees are no longer insiders.

However, I'm sure this kind of service is important for some companies, such as Kroll Ontrack, to survive the recession.

Re:

[idontgno (624372)]

Well... revoking access is hypothetically a no-brainer. ("Hypothetically" because it's still shockingly uncommon.)

But a former insider may still know enough about your environment to make an extremely effective blackhat. Not much you can do about that without using a big hammer, a la Catbert, to remove your employee's detailed knowledge before escorting him/her out.

Re:Duh?

[Anthony_Cargile (1336739)]

Well the article does not say Ex-employees, so that means we should also consider employees still part of the "team" (as my manager puts it).

In a recession, somebody employed yet still enduring paycuts would probably be somewhat disgruntled too, even if not "terminated" per se (but with terminations all around said employee, or the looming fear of termination imminent). An employee with access to something worth anything would still be able to take it and run, and the possibility of him/her doing so in a recesssion/depression with constant paycuts and the constant threat of layoff is rather high, so this is where it gets hairy - how much do you trust your fellow employees? You can't cut present employees' access!

Well, now that I've struck fear into the heart of any employers/administrators reading this, I don't think this recession is quite to that point yet, but it may be something to watch down the road if things keep getting progressively worse.

Re:Duh?

[Red Flayer (890720)]

Good point. I'll add that it doesn't take pay cuts to motivate crime of this nature.

Employees who feel their jobs becoming less secure may decide to take out an insurance policy while they still have access to the important data.

Regardless of how you treat your employees, regardless of how secure their jobs are, in a crappy economy they may feel that their jobs are insecure, and that may lead them to the dark side.

Having good security standards and processes will lessen your exposure. Maintaining employee morale will lessen your exposure. In the end, though, as long as one person has access to critical data, there is risk of the data being misused.

crime also goes up

[thermian (1267986)]

when employees think their employer is treating them like criminals with little more than dubious and extremely general statistics for proof.

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

Re:crime also goes up

[Chris Burke (6130)]

Maybe in some cases, but I actually commit less crime when my company treats me like a criminal, since I figure I don't need to work as hard to get the point across anymore.

Re:crime also goes up

[nine-times (778537)]

That might be true, but regardless it has always been true that employees have been one of the big security risks for businesses. In one way of dividing things up, security basically falls into two categories: denying access to people who shouldn't have access and preventing those who have access from abusing their access.

Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc. The trickier issue is that you have all these employees with access to the money, and if there are no security measures, it wouldn't be hard for a teller to pocket a hundred dollars every now and then. So banks have procedures where the tellers have to do account for the money in their drawers at the end of the day (or whatever the particular procedure is).

So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees. It's a very tricky security issue to deal with, since you can't "plug the hole"-- employees are *supposed* to have access.

And when I talk about dangers that come "indirectly from employees", I mean that they might be the source of a breach even if they aren't themselves criminal or dishonest. I've heard hackers say that often social engineering (i.e. getting an authorized employee to give you access) is easier than actually exploiting any security holes.

Besides the danger of purposeful social engineering attacks, employee carelessness can also leave you exposed. People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!). Also people do things like access a secure webpage in an Internet cafe computer (which might have keyloggers installed for all anyone knows) and then walk out without closing or logging out, or put highly sensitive data on a usb stick and lose it somewhere. Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

So overall, yes, employees are a big potential danger to securing your data. A criminally inclined employee can cause lots of damage, but so can a careless one.

Re:crime also goes up

[Belial6 (794905)]

Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

Companies could go a long way in avoiding this kind of behavior if they didn't fall for the false dichotomy of "Access to everything" and "Work is supposed to suck". I know you didn't say it, but these kinds of articles always bring out the admins that recommend that every machine should be locked down to the point of basically being a kiosk often actually preventing people from doing their job, and rationalize that since "it's the companies" computer, it cannot be used to make work a place people want to go.

This always gives me images of the bad boss from 9 to 5. After all, how much different is it for a real live admin to tell an office worker that they can't have a picture of their family on their desktop than the fictional manager who told the characters in the movie that they cannot have pictures of their family on their... desktop?

Businesses regularly spend money to try to make their business a 'good place to work'. There is a huge amount of safe area between "full access to anything" and "treat it like a bank vault". The PC is one of the least expensive ways to improve a work environment. A $2 set of headphones, or even just making sure that the CD drive can play music and let the employee bring their own headphones goes a long way to improving a work environment. Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company". If you take the later route, you have a much higher risk of employees just ignoring the rules and going with Kazaa. Heck, the people that feel they MUST get music from Kazaa will still be safer in that they are more likely to do the downloading from home, and sanitize the files by first converting them to standard CD format, before bringing them to work and re-ripping them.

Instead of trying to prevent employees from accessing the internet, give them access to virtual machines that have no access to the company network. This makes the path of least resistance be not being a security risk, instead of encouraging people to try and circumvent the companies security AND making work a crappy place to be.

Re:

[Fulcrum of Evil (560260)]

Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

You know, you could just allow iPods - you could even hand out nanos as an onboarding gift. Solves the ripping problem nicely.

Re:

[maugle (1369813)]

People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!).

Thanks a lot, jerk. Now I'll have to change my password after you leaked it all over the net.

Re:

[techno-vampire (666512)]

Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

You mean like the **AA and their minions do? Or, for that matter, the way Redmond does with its WGA? Or, just maybe, the way the TSA does at the airport?

Duh?

[starfishsystems (834319)]

Move along, people. Nothing remotely new here.

Now if you want to actually do something to improve security performance, how about establishing some security metrics [informit.com] as a point of reference?

Re:

[irtza (893217)]

of course its not remotely new - they're talking about insiders -its locally new!

thank you. thank you /exits stage right.

Employee's were the first security risk

[Freaky Spook (811861)]

People have been around long before computers, and have always been the biggest risk to business.

Computers have just made it easier for employee's to do more damage, either through malicious intent or just plain negligence.

Having many SMB clients where cost is always placed over security, its scary just how vulnerable many businesses are to their employee's, from even ignoring the most basic security steps like using ACL's to secure files and basic auditing of file access, or even implementing basic password policies like "Do not give your password, to anyone, ever!"

First OnKrack

[Ethanol-fueled (1125189)]

Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

Trust

[drooling-dog (189103)]

Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.

It's a good thing that Knoll Ontrack's employees are all totally uncorruptable, unlike the felons that must work for their clients...

well this is sooo LY

[girlintraining (1395911)]

So, let me get this straight -- Let's say Super Important Data Stuffs (SIDS) is in a database and as a company you want to protect it. But over 300 employees access that data every day. Evil Bad Hacker comes in and drops a trojan on one of those systems. A few days later, Evil Bad Hacker does a SELECT * FROM... fill in the blank... and in a few minutes it's compressed and uploaded. Super Important Data Stuffs was only 2 GB in size. How does your solution, or any solution, stop this while it's happening? Short answer: It doesn't. But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

You want your data to be less vulnerable? Stop having your servers practice unsafe hex with everyone who happens to be in the building. -_-

Obviously the right answer...

[afrop (181815)]

You're concerned that your employees or former employees will attempt to exploit their insider status to commit crimes against you. The most natural and obvious answer is to hire an entirely separate company, with a whole additional set of employees, and give them insider access to your network.

Hi Guys!

[fuzzyfuzzyfungus (1223518)]

Worried that people with access to your data might steal it and cost you money? Pay us to have access to your network! Don't worry a bit, our office is staffed by American Professionals(tm) just like the ones you are laying off and worrying about! And never mind the fact that, when the marketing hits the fan, a dead-end schlub earning jack-all to do boring work counts as a Professional(tm) if he is wearing a tie with two or fewer stains!

Seriously. Ok, employees are obviously a potential security risk, they are the ones who have legitimate access to the gates and the keys, of course there is a risk. And, in some cases, you'll get genuinely bad apples, sociopaths, paranoics with bizarre persecution complexes, fred in accounting with the gambling problem, etc. In most cases, though, you are basically just dealing with people. And people will be a lot happier, more productive, and less dangerous if you spend less money on orwellian surveillance consultants and more on them. Does anybody seriously think that an office full of bitter, resentful employees, even under the all-seeing-eye of your consultants is less of a security risk than an office full of more or less satisfied people, with standard, basic, procedures in place(particularly given that, in a lot of cases, somebody with basically no assets can do damage that cannot be repaired and costs more than they could ever repay, even if the lawsuit goes well)?

A back-to-front mentality

[golodh (893453)]

The opening post breathes a mentality which seems to pervade US firms. It runs approximately as follows:

(1) view employees purely as resources (about on level with the printers and the staples)

(2) use every possible means to make their job manageable for the Human Resources department (which is shorthand "define all tasks in such a way that every individual instantly plug-replaceable by (a) your average worker in the job market with his job title and (b) any of his colleagues, actively remove any individuality, and rather waste someone's talents than allow him to enrich his job")

(3) use HRM to "Dynamically contribute to optimization of enterprise processes and results" (translation: hire people when they are marginally qualified for their job and let their colleagues educate them, fire 'em the instant they become overqualified and aren't immediately placeable in a higher function, or if they show signs of become tired, bored, jaded, cynical, or if they catch on to what Human Resource Management really means for them)

(4) use an elaborate system of "who reports to whom", physical access checks and "security" guards, to ensure that people are total strangers in the company they work for with the sole exception of the department they work (this enhances "security")

(5) determine scientifically that your employees may spontaneously become disgruntled and hostile towards the company they work for (or after being fired)

(6) determine that the company urgently needs to protect itself from the consequences of its employees becoming disgruntled and hostile

(7) further plan employees jobs and tighten "security" so that the amount of damage any disgruntled individual below the rank of executive can do is reduced to an acceptable minimum.

The final step (8) is to spend good money to outsource security and workflow monitoring to establish tight restrictions on what employees can mess up before being physically apprehended. Outside firms have nice glossy brochures that provide your board with plenty of reasons why employees should be treated as detainees rather than as collaborators. Recommending specialized outside firms to cover specific areas of employee containment definitively establishes you as a savvy and professional manager (and keeps you in line for that end-year performance bonus).

On the other hand, the suggestion of actually treating employees as if they were collaborators confuses simple PR slogans meant for glossy company brochures with actual management. Expecting people to behave civilly when treated like people is naive in the extreme and something no manager with an ounce of professionalism should sully himself with.

Recognize this mindset? I foresee that work-flow monitoring will become a growth industry.

Re:

[owlnation (858981)]

Mod parent insightful.

So very true. Human Resources Departments are the biggest single barrier to progress on Earth. They are often filled with defective individuals with all sorts of complexes and psychological problems (I wander what percentage of HR workers are clinically obese? High, I'd think). Nobody, nobody, ever wanted to grow up to work in HR. You only work there if you can't do much else.

They are holding employees back, they are holding whole corporations back back hiring people who fit int

Remember 2003

[jellomizer (103300)]

During the time of the big viruses hit. Oddly enough it was when outsourcing became popular for IT staff. A lot of pissed off IT unemployed IT Guys and a lot of location without people local to fix the problems. Create prime virus spreading.

Kevin Mitnik is correct

[Orion Blastar (457579)]

the weakest link in any computer security are human beings.

I remember reading how some AOL employee took 26 CD-R disks, each one filled with a letter of the alphabet of data tables of AOL customers with phone numbers, addresses, bank accounts, and credit card numbers and passwords. He tried to sell it for millions but got busted by the FBI.

When I worked for a law firm, there was a department called Litigation Support that changed its name to Technology Services and competed with Information Systems. I was the main developer on a lot of software programs. My machine kept blue screening and crashing, and I installed Black Ice because it looked like someone was sending me the ping of death and ping floods. Black Ice traced the attacks to Technology Services PC systems. When I reported the fact to my boss, he told me to take Black Ice off my system. Then it started crashing again. Eventually it stopped, but I had missed a few deadlines because my computer would crash or freeze up or lose the network connection, and it wasted my time trying to develop programs. Later on I got a bad performance review, but my boss refused to listen to me about hacker type attacks from TS directed at my IP address, despite the proof I had from Black Ice logs. Apparently I think my boss was in on the sabotage because I earned too much money and they wanted an excuse to get rid of me. It really stressed me out, and I had to go on short-term disability and had to suffer from emotional and psychological abuse from coworkers and managers. I developed schizoaffective disorder, and once I came back to work, two weeks later I was fired for being sick on the job. But it all started with denial of service attacks on my IP address.

Re:

[plover (150551)]

But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

Not necessarily.

In a well-designed system, the data would flow only from the source to the destination, with as few stops in between as possible, right? In the case of credit cards, they would come into a cash register, travel to the authorizing system where they would be sent to an authorizer, then travel to the accounting