How should IT managers go about safeguarding their network from internal security threats? IT security authority Jack McCullough, coauthor of Access Denied: The Complete Guide to Protecting Your Business Online, said using a layering strategy is the best protection.
"Perhaps the most overlooked threat in a security program is the threat posed by employee behavior," said McCullough. “As much as 80 percent of security compromises are the result of actions by an insider.”
Whether the security threats are malicious or due to inadvertent employee error, the results are the same: loss of revenue and productivity, and potential liability for the company.
McCullough pointed to a recent spate of damaging hoax messages as an example of how employees inadvertently put systems at risk.
“In this latest hoax, people are just following directions that they believe will protect the network when, in fact, they are deleting crucial applications,” said McCullough. “Antivirus products can scan for viruses, but they cannot protect against something like this, a hoax that consumes bandwidth, requires costly resources, and inhibits productivity.”
Malicious insiders, including disgruntled employees and employees who have been recently terminated, are also a worry. “Many companies have focused their energies on dealing with the threat posed by hackers and malicious code,” said McCullough. “Unfortunately, this is the IT equivalent of locking the front door and leaving all of the windows open.”
Other internal security threats include contractors and outside service providers. “Depending on the situation, contractors or outside vendors can have as much knowledge and access as the in-house IT staff,” said McCullough. “The threat here is the same as the threat from an employee, except that they may be harder to detect if your own staff does not supervise them.”
A layering strategy
McCullough suggests layering components in a full security strategy that includes technologies, policies, procedures, and practices.
“The majority of companies would privately admit that their IT security is not as comprehensive as it should be. Security policies and procedures are often far behind technological advances, and adequate staff education is rare and infrequent," said McCullough.
“In fact, many organizations only develop or update policies and procedures in reaction to a security compromise. As a result, companies are vulnerable, despite spending large sums on security products and consultants.”
Specific steps to implement layered security would vary between organizations. But a good place to start is with risk analysis. McCullough said IT managers need to take the following steps to establish the level of risk that their organization faces:
- Identify network assets.
- Determine the value of each asset and the cost associated with its loss.
- Identify threats to the asset.
- Determine vulnerability to identified threats.
- Prioritize assets by level of importance.
Use complementary technologies
By layering security using complementary technologies, your organization can address all of the threats it faces. For instance, firewalls and antivirus software may protect a company at the gateway, but they would be ineffective if an insider bypassed the gateway. E-mail and Web filtering software would close this hole and add another layer to the security program. Intrusion detection and file monitoring solutions would also aid in detecting changes made to the system by malicious individuals.
“Each of these technologies complements the others and helps to create a more effective security program,” said McCullough. “By layering technologies, we are in effect closing the windows after locking the doors.”
Layering does not mean adding unnecessary redundant systems. If one antivirus product is good, for example, adding another antivirus program at the gateway would not necessarily be better.
“Increased complexity and redundancy of this kind can cause more problems than existed in the first place,” said McCullough. “Layering with complementary technologies allows each piece of the security program to support and defend the other pieces.”
Content security using filtering technology, for example, provides the key protection against risk due to employee behavior and abuse of IT resources, said McCullough. “Even when an acceptable use policy is in place, administrators often lack the means to enforce it. Filtering technology enables management to enforce security policies and privacy policies while managing staff productivity and minimizing wasted network bandwidth.”
SurfControl E-mail Filter 4.0 is just one example of an e-mail content management tool on the market. SurfControl Virtual Learning Agent, a plug-in component of E-mail Filter 4.0, actually learns what information and what kinds of documents are most sensitive for an organization and ensures that content is e-mailed only to those authorized to receive it.
Susan Getgood, vice president of marketing at SurfControl, said since security threats are growing more complex and more sophisticated, business weapons to fight against the threats need to be more sophisticated as well.
“We know that e-mail and the Internet are the most important communications tools used to conduct business today and that all Internet content carries risk,” said Getgood.
Getgood said the first step for IT managers “is to develop an effective acceptable use policy and inform employees how they can and cannot use the Internet and e-mail, according to the company’s own policies. Then, select sophisticated technology to enforce policy.”
But McCullough warns that new technology is only one part of a successful layered program. “When selecting security solutions, avoid technology that will conflict with the other segments of your security program. Do not forget to consider the threat from within your organization when developing a layered program,” he said.
“A security program is only as good as the personnel tasked with managing it. Administrators must stay informed about changes in the threats to their network and remain committed to its security. New vulnerabilities are reported almost daily.”