Three Part Blog
Part 3: Security and Employee use of the Internet
Internet Security has become an umbrella term covering everything from identity theft to virus protection to using firewalls to keep outsiders out (except when you want them in). This article focuses on intentional as well as the inadvertent insider threat and address security concerns managers must understand when employees use company resources to access the Internet.
One of Pearl Software’s quickest success stories was a customer who kept losing competitive bids for contracts based on price. Fearing an inside leak, the customer installed our Employee Internet Management software and quickly discovered that one of his employees was being compensated for emailing confidential bid details to a major competitor. Another of our customers, a large hospital, was inundated with viruses – the digital sort. Computer viruses were frequently plaguing its systems, rendering them useless at times. Antivirus and antispyware software tools would successfully clean up defiled systems, but only after they wreaked havoc for users and the IT staff. The hospital installed Internet monitoring software in order to identify usage patterns and determine and block likely Web sites and users that were the root cause of their issues. The hospital’s primary concern was that an employee could inadvertently download a trojan, making an infected computer a gateway to external hackers and providing unauthorized access to patient information.
Industrial espionage has always been a security concern. Cybercrime also involves the buying and selling of intellectual property - a company’s new product designs, proprietary financial information and confidential memos. An increasing percentage of valuable corporate data is being electronically siphoned and sold to the competition. As the Wall Street Journal reported, the biggest threats to information security often don’t come from hackers. They come from a company’s own employees. The insider threat and internal surrogates are the focus of the Department of Homeland Security’s National Cyber Security Division. Malicious acts by disgruntled employees, viruses picked up in e-mail spam or from seemingly innocuous Web sites and corporate espionage are all areas that require conscientious governance.
Security risks may also be inadvertent. Take Phishing for example. Here, a phony Web site dupes unsuspecting users by publishing Web pages with the look and feel of the authentic Web site it intends to mimic. Suppose your accounts payable clerk receives an email from what appears to be your company’s bank. She responds to the email which asks her to click on a Web link to update her email address. As expected, her Web browser opens and she is taken to a site that has been built with the exact look and feel of your bank’s Web site. As usual, the clerk is prompted to enter her secure user name and password. After entering her credentials, nothing visually happens. However, something very damaging does happen; The Phishing site has captured her credentials and the authors of the phony site can now access your account at the authentic bank Web site.
The Internet security team at CERT believes that most insider crimes go unreported not because they are handled internally, but because they are never discovered in the first place. The bottom line is if you are in business and your employees use computers, you need to protect your data against unauthorized access – both internally and external – and the best methods for doing so are always a balance between technology and personnel management.