To catch a thief

Enterprises often underestimate the potential threat to data from disgruntled ex-employees. Piers Ford reveals the available safeguards.
To catch a thief
RABASSE: Currently, collusion with attackers from outside an organisation is a growing threat.
By Piers Ford
Mon 05 Apr 2010 04:00 AM

Enterprises often underestimate the potential threat to data from disgruntled ex-employees. Piers Ford reveals the available safeguards.

If the findings of a new study are true, CIOs should wake up to a stark and rapidly-approaching reality when it comes to the security of the corporate data they are employed to protect: beware the enemy within - especially if he is about to be given his marching orders.

The Symantec-sponsored study from Ponemon Institute - Data Loss Risks During Downsizing - suggests that staff adopt a very pragmatic attitude to their employers' confidential information when they are let go. In the downturn, with new jobs harder to come by, a customer mailing list or a contacts database suddenly becomes a very useful commodity.

The results of the US-based study should resonate with CIOs in the Gulf region, where redundancy and reduced headcounts are just as much a fact of life: 59% of departing staff steal company data on their way out. Of these, 79% are fully aware that they are breaking company rules. Just 15% of respondents said their employee audited the paper and electronic documents they were leaving with. Almost 70% said they had used stolen data as collateral to improve their new job prospects and a similar number planned to use stolen contact and e-mail lists themselves.

In other words, for all their focus on beefed-up firewalls, enterprise security and the constant threat of cyber attacks, CIOs are often guilty of ignoring an uncomfortable danger right under their noses. And in doing so, they are compromising data security - almost certainly in breach of compliance regulations - and damaging the competitiveness and financial prospects of their business.

"In the Middle East, technology is driving information security," says Tareque Choudhury, head of security practice, Middle East and Africa at BT Global Services.

"The domain of information security encompasses people, processes and technology. Time and time again, the majority of organisations in the region fail to recognise that just putting in firewalls and some anti-virus is not enough to ensure their adequate protection. Not only does each company need to protect itself from the digital world, but it needs to protect itself from its own employees. And this can only come when technology is coupled with good processes and the right people."

The key, suggests Choudury, is assessing where the weak links are in your organisation. And according to many observers, that invariably means focusing on staff - their practices and attitudes - when they are gainfully employed as much as when they are being asked to leave.

"Employees will always be the weakest possible link, simply because there is no patch available for naivete," says Roger Thompson, chief research officer at Anti-Virus Group. "That's why the most common threat that we see every day revolves around things like web-based social engineering. Everyone uses the web to browse information and web traffic tends to goes right through the firewall.

"The bad guys understand this, and structure their offerings to trick people. Of course, we'll always see exploits come along, but they do get patched and eventually, in a corporate environment, become less of a problem. However, people can always be tricked," he continues.

The good news for CIOs, according to Symantec's Middle East security expert Bulent Teksoz, is that despite limited IT budgets, resources and even support from the other business units, if only one in ten IT projects is given the go-ahead, it will almost certainly be the project that is focused on security issues and preventing data loss.

"Our research shows that enterprise security is the CIO's top concern, and from our forums in the region we also know that the weakest link has always been the user," he says.

Password follies

No matter how many times a CIO is told that employees will always represent the most dangerous threat to their data security, most of them would prefer to trust staff and colleagues. According to Stephane Fymat, vice president of strategy and product management at password specialist Passlogix, this means that about 80% of companies around the world have no protection or procedures in place to prevent possible data loss when an employee leaves the business and decides to take something along.

"Most employees have a good knowledge of the internal network, which can have huge implications for a business' own valuable data, or that of its customers if an employee then chooses to access the system maliciously," he says.

"Many companies don't change access passwords for months after people have left. To protect against this, a business needs to firstly clarify its internal polices and get its procedures in order. Ask yourself, which of your IT administrators has what level of access and control?" he questions.

"There are usually policies in place but they are, more often than not, dormant. Then you need to communicate your policies to every member of staff so that they know their responsibilities. Finally, firms must properly encrypt, store and govern the use of privileged account IDs and passwords," ends Fymat.

"But you can't solve the issue with technology alone - you need to know what you're trying to protect. You need to understand that if an employee loses their laptop or PDA, or takes its contents with them when they leave the company, the cost of replacing the machine is the least of your problems.

"CIOs have plenty of power within the organisation, but that comes with responsibility. They face some very challenging compliance and security issues, and they can only deal with them if they know what their critical assets actually are. Then you can build a policy framework and introduce supporting technology which can automate the process."

Teksoz suggests that the growing trend of moving away from a technology-centric security infrastructure to securing the information itself is a positive development. It's a risk-based approach, but CIOs must prioritise and balance their data according to its value and importance. And staff compliance with a corporate security policy must be driven by a formal and documented training schedule.

"Our research shows that people who feel negative about their employer take the data when they leave. So you need a process that clearly states that ex-employees no longer have access to the data and includes exit interviews to audit what they're actually taking with them. Globally, we still see cases where an employee still has access to the company's VPN three months after they've been let go! That must be blocked, and it still isn't happening in certain businesses," he continues.

Multi-national companies with a Gulf presence will always implement their global security policies at a regional and local level, and will usually have an IT security officer responsible for enforcement. But in smaller organisations, this responsibility might fall to a multi-tasking IT manager or managing director, or even be outsourced to a risk consultant. One of the main challenges they all face is that the region is so dependent on IT contractors who, by definition, can be difficult to keep track of.

Ben Rabasse, Middle East expert at access control specialist HID Global, says attitudes to staff risk in terms of IT security are advanced in many areas of the Gulf. The UAE and Jordan are advanced and organised, Saudi Arabia's government has a very strict approach and Qatar is also coming up on the rails.

Rabasse says the deliberate abuse of logical access rights ranges from the mischievous to full-blown espionage. Increasingly, card-based access control is seen as the most cost-effective way of managing IT security, particularly for larger organisations.

"Currently, collusion with attackers from outside an organisation is a growing threat," he says. "Businesses are adopting systems that ensure unauthorised parties cannot log onto a PC even with standard user name and password details, which are easily passed on or hacked. An extra layer of security is now being adopted whereby an individual must offer a physical credential to a special reader that is attached to the PC's USB port. Once approved, they can then input a user name and password to log in.

"Oil companies we are working with in the Gulf are demanding security features like embedded holograms, micro-fine printing, UV ink, metallic colours and guilloche printing. This is basically to ensure that the ‘visual ID' element of their card cannot easily be compromised. The multinational nature of the larger oil firms means that several access control vendors may need to be utilised," continues Rabasse.

"Other ways that oil firms and other large organisations are increasing security is through smart cards so that along with physical and logical access control, the same credential can be used in many other ways.  They can be ‘read' by special hand-held readers, linked real-time by wi-fi to the central access control server. This allows security personnel to remotely check staff credentials, before they disembark from a bus, or before entering a secure area for example. Such devices are also extremely helpful during the mustering process after a fire alarm evacuation," ends Rabasse.

Integrated security

All the evidence suggests that enterprise security is top of every CIO's list of concerns, far above the need to implement another piece of infrastructure or the latest gadget. So it's all the more surprising that there is still a high level of bad practice and a lack of due diligence present in the region among enterprises, says Paul Sherry, regional director at infrastructure specialist F5 Networks. The answer lies in realising the need to integrate security as a strategic element of the application deployment plan, not as an afterthought or fulfil a marketing plan.

He states: "Some companies are still deploying apps via the internet without firewalls in place," he says. "This could be attributed to operational structures being ‘siloed' whereby, as a specific example, the network guys think the application guys are taking care of security and vice versa caused by a lack of integration across the organisation.

"At present we are seeing a lot of interest in integrated security solutions. This also needs to be backed up by due diligence from the first stage of negotiations with vendors regarding best practice for application deployment.Security should be considered as a key part of the application deployment plan," he ends.

For all the latest business news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.