Well-Meaning Employees and how to STOP them

July 19, 2009 Laura Hees with help from Michael Bednarczyk and Information Week.

Every day well meaning employees put their employer’s data at risk. An industries worker downloads sensitive data so that she can put in some extra hours at home and then loses the USB memory stick. A road warrior desperate to send important data by unable to find a wired connection to the company’s VPN logs onto a network calling“ free public WiFi”. An admin assistant clicks on a link in an email appears to be coming from her boss. It may not be intention but the result is the same. Well meaning, albeit clueless end users blowing you your systems from the inside.

The greatest threat in any company is the user who’s simply trying to get his job done. But all of these actions and of course many others can lead to security leaks and breaches that can be very devastating to an organization. According to the February 2009 Information Week Analytics/Dark Reading pool on endpoint security, only 9% of nearly 400 business technology professional polled said that their IT/security organizations perceived the threat from end point security risks as negligible;  the majority said locking down inside nodes is juast as vital as perimeter security. Some security analysts and vendor estimates put employee based security breaches as high as 85% of total reported incidents.

Social networking portals are themselves prime targets for malicious activities. Because of their popularity, these sites are great launch pads for trying out dangerous codes. Social networking sites can account for up to 91% of reported phishing attempts in the US alone according to recent estimates. Although I am a HUGE fan of facebook, linked-in etc. most organizations should have these types of sites blocked. Many perhaps see a business value to user twitter etc. Really? I don’t understand that one, but ok. Even when access if forbidden, there are some employees whose technological experience will be just enough to successfully bypass the filters but not extensive enough to avoid becoming a gaping security hole exposing an entire organization.

Information Week says that employees need to be trained not to use unsecure wireless portals, not to download all of their companies data on a USB drive then go home and use it on your computer, not open an email from an unknown person, not to let anyone else use your computer, etc. But personally I do not believe this will get you anywhere. People will still do it. There will be better and better phishing holes out there to find ways to get your personal & company information. You can launch fake phishing attacks at your own company to see how many employees fall victim and them hopefully learn. but again I think that is extremely time consuming & people will still open unknown emails.

The loss of laptops, cell phones, removable storage, iPods and other portable media is another vital area where good employees can cause things to go very bad. Quantifying the amount of damage done in these areas is very difficult because many lost or stolen items never get reported and employees may be concerned about censure and executives do not want the publicity. The only real way to reduce the damage these tiny devices can cause to an organization’s security framework is to enact and enforce strict computer policies. IT should require all laptops to have boot passwords, drive encryption and utilize VPN tunnels when their users are out of the office. GPS tracking and Lojack recovery services can aid in recovering a lost or stolen laptop. Implement policies against & not allowing any USB device to the internal network without prior certification and authorization. In instances where these devices must be used, insist on products that offer security features. Several manufactures offer flash drives that make use of on the fly encryption which makes the process of security data for mobility completely ubiquitous and transport to the user.

What is best is an integrated solution that understands not only when sensitive information must be blocked but also when it must be released and how to protect it when it is; a solution that enforces encryption through configurable data security policies. Security officers need to be able to designate which content should be encrypted, blocked or logged for review. This can either be internally managed or hosted by a managed service company. Lots of options out there… So protect your darn data!!

References: Michael Bednarczyk Dark Reading