The Top 5 Internal Information Technology Security Threats

The top five internal security threats from ITsecurity.com

1. Your Employees Are Selling You Out, Part 1
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization in an effort to gain unauthorized access to confidential data. While not exactly a new phenomenon, attacks are becoming increasingly sophisticated, according to Paul Stamp, a Forrester Research senior analyst.

“A phishing attack used to be a request from the deposed governor of Nigeria,” says Stamp. “These days, a phishing attack is almost indistinguishable from the real thing.”

The result: unwitting employees disclosing confidential information, from passwords to financial data, to ill-intentioned intruders. Unable to identify fraudulent websites and counterfeit email messages, these internal workers are essentially opening a company’s closed doors to criminals.

2. Laptops on the Loose
Accidentally bequeathing your forgotten laptop to a hotel’s cleaning staff is more than an inconvenience. According to software security firm Symantec, the theft or loss of a computer or other data-storage medium made up 54 percent of all identity theft-related data breaches in the second half of 2006.

But that’s not all. The theft or loss of a laptop can cost a company big bucks. The 2006 CSI/FBI Computer Crime and Security survey reveals that laptops and the theft of proprietary information are the third and fourth-greatest sources of respondents’ financial losses. Nevertheless, a startling 47 percent of respondents detected laptop/mobile theft last year.

3. Unintentional Access and Disgruntled Ex-Employees
One of the many perks of working for a company is the access one gains to multiple computer systems, from e-mail messaging to HR payroll. Yet it’s precisely this access that can endanger the security of mission-critical applications. Despite today’s sophisticated user provisioning systems, many IT administrators are simply too time-strapped to actively update users’ access and privileges.

In fact, research has revealed that it can take upwards of 4 months to remove the user rights of a former employee. Within that time-span, there’s no telling what havoc a disgruntled employee can wreak on a company’s critical business systems.

The remedy: There’s no shortage of vendors promising to simplify the user provisioning process. Entrust, for example, offers solutions that automate policy enforcement and delegate administration for user provisioning which helps maintain security levels while managing large numbers of users. Another example is Courion. Courion’s AccountCourier is an automated user provisioning solution that instantly grants, revokes or modifies access to any operating system, application, Web portal or other IT assets without manual intervention.

4. Missing Security Patches
It’s an unfortunate reality. Vendors aren’t always quick to produce the necessary protection in the face of a newfound security hole. In fact, Symantec reports that in the second half of 2006, all the operating system vendors that were studied had longer average patch development times than in the first half of the year.

Further complicating matters, however, is the fact that many IT administrators are simply too overburdened to ensure that they have the latest updates and most recent patches in place. The result: well-known viruses succeeding at penetrating some of today’s largest enterprises.

5. Your Employees are Selling You Out, Part 2
That joke email message that just landed in your inbox may not be so funny after all. “A lot of the security threats that we’re seeing involve email somewhere along the line,” warns Stamp. Data leakage stemming from outbound e-mail is among the primary concerns. According to the Ponemon Institute, 69 percent of organizations reported serious data leaks caused by either malicious employee activities or nonmalicious employee error. But even the most innocent of correspondences can result in trouble. For example, an email message that causes one employee to chuckle may greatly offend another, leading to legal liabilities. Not to mention email’s ability to serve as incriminating evidence. For example, internal emails contributed to pharmaceutical giant American Home Products Corporation being fined $3.5 billion as a result of a class-action lawsuit concerning its manufacturing of the diet drugs Fen-Phen and Redux.

The remedy: Strict usage policies can prohibit employees from sedning sensitive information via insecure e-mail. E-mail content scanning technology can also help. IBM Expresses Managed Security Services for example, scans and monitors e-mail before it ever reaches a network, ensuring that it's free from harmful or damaging content. And MessageLabs' Boundary Encryption service lets businesses set up a secure private email network between themselves and their partners to ensure the end-to-end delivery of encrypted communications.