The recent Target data breach and a new data breach at Home Depot are reminders to CIOs and CSOs about the dangers of security problems on a massive scale, though the smart executives are giving equal time to the potential of internal data breaches. These are inadvertent and sometimes deliberate security breaches that happen when an employee shares a password or loses a mobile device. In other cases, an employee might access a website at work that loads malware onto his PC, which then spreads throughout the corporate network. In other cases, security breaches occur when a disgruntled employee leaves the company and takes with him valuable intellectual property that belongs to the company.
During a recent visit with the CEO of a security IT audit firm in the banking and financial services industry, I asked which hot audit services that banks were requesting. He answered that banks wanted full-scale IT audits and internal/external penetration testing of their networks, and that he was receiving high numbers of requests for social engineering audits.
What is a social engineering audit?
"It's an examination of your internal controls over information, such as the strength of your security policies and procedures and whether your employees are abiding by them," he said. "We visit with different business units within a company to see how these policies are being carried out, but we also perform a series of automated tests to see if there have been any internal data or security breaches that are the result of employee activity."
It's not a pleasant situation if something turns up, because the discovery of an internal security breach usually leads to the interrogation of an employee, and in the worst cases, employee dismissal. Nevertheless, social engineering is at the top of the security to-do list for many CIOs and CSOs because internal security breaches occur with more regularity than they would like to admit.
In financial firms, the uptick in social engineering audit activity is attributed to several factors:
- More regulators are proactively asking banks what policies and practices they have in place to control potentially compromising security breaches by employees;
- There has been a general rise in employee security breaches, information thefts, and system sabotage since jobs were lost in the 2007-2008 economic recession; and
- More mobile devices are being used -- and also being lost or misplaced in the field.
The mobile device threat is also felt in the "back office," where banking mobile device policy often crashes head-on with employee personal mobile usage habits. Here's how it happens.
Nearly everyone carries a personal cell or smartphone on his person with a built-in camera. It's great for taking photos and sending them to friends, and it's not a likely issue if you work in a floral shop or a sports arena. However, if your job is in a credit and debit card "back office" processing operation where you see dozens of account numbers and social security numbers each day, and can easily photograph and sell them, your bank employer is likely to have a policy against having mobile phones with cameras in the work area.
The bottom line
Security is an inside as well as an outside responsibility. Accordingly, CIOs and CSOs are:
- collaborating with HR to facilitate employee training (and re-training) in corporate technology usage policies and practices;
- staying on top of new industry security and privacy regulations for internal security; and
- ensuring that technology is in place to locate and shut down mobile devices in the field that are lost or misplaced.
- Survive compliance and security audits by conducting regular system checks
- The emergence of enterprise risk compliance
- Why the CIO should 'own' IT security
- Can CISOs become more effective as IT decision makers?
- C-level execs need to rethink IT security
- C-level execs need to end disconnect to improve IT security
- Field guide: Types of people behind today's corporate security threats (ZDNet)
- IT Security in the Snowden Era (ZDNet/TechRepublic Special Feature)
Disclaimer: TechRepublic, CNET, and ZDNet are CBS Interactive properties.