Not all companies want airtight security. Worries about civil liberties, unfair "profiling" of workers and reducing employee morale are all common reasons to justify going light on background checks.
Andy Evans, senior security engineer for Ecora Software of Portsmouth, N.H., notes the background checks that Kroll advocates could be viewed as excessive.
"At the very least you call references, but beyond that Id be offended if there was too much digging around even though theres nothing to find," says Evans.
He believes the amount of checking should depend on a workers mission. "For people with access to financial and personal data, though, it makes sense."
For Evans, a better approach is to establish clear network guidelines of acceptable use, educate employees and then enforce those guidelines. According to analysts, these guidelines should start from the assumption that the employer has a right to inspect anything on the network.
"There shouldnt be any veil of privacy," says Brill.
Besides network basics such as prohibitions on pornography, sending spam and downloading pirated software, analysts say most executable files should be stopped from entering or leaving the network. There also should be guidelines on what types of employees get certain access privileges.
Evans recommends that firewall protection should apply to both incoming and outgoing network traffic even if it results in a slower connection.
"You can take a performance hit, but the payoff is huge," adds Evans, who says the effect on network performance would depend on a companys hardware and bandwidth.
Password management also is a key consideration. Passwords need to be changed often and need to stay away from obvious words such as "secret," a spouses name and social security numbers.
"The fact remains security is still 90% password-based and its a notoriously weak form of authentication," says Derek Brink, director for product management for RSA Securitys SecureID.
One major security hole: passwords that arent terminated when employees are. "When an employee leaves, all access accounts should be disabled. That closes a huge hole," says Pescatore.
RSA has been pushing the use of hardware and software tokens, which change passwords every minute and require a personal identification number to verify the user. Once a user is authenticated, he will get access to parts of the network hes authorized to use.
So why arent tokens a big hit? Passwords come cheap and identity-management tools can take a piece of the budget. The cost to acquire and deploy a password system is essentially zero.
For 25 RSA users, Steve Stasiukonis, the owner of Secure Network Technologies of East Syracuse, N.Y., says it costs $3,950 for a license to RSAs access-management server, $1,000 in annual maintenance and $62 for each SecureID fob, which will last three years.
Brink says RSA and its rivals have largely pitched authentication as a way to mitigate risks, but dont necessarily try to prove theres a return on the investment. "Weve had a hard time talking about reducing costs and increasing revenue," says Brink.
And what if you take all the necessary precautions and an insider still goes bad? The key is to monitorand more importantly interpretnetwork traffic.
"Inside the firewall theres a lot of information to interpret," says Brill. "Most attacks leave a trail. The only problem is seeing the trail."
Indeed, its a trail that can leave reams of data. Out-of-the-ordinary financial transactions, executable files, unusual Web site visits and instant-messaging conversations should all raise red flags, say analysts.
Brill says decision-makers have three choices. Dont monitor your network and take your chances; devote resources to interpreting the data full time; or outsource to companies such as Symantec, which acquired monitoring firm Riptech last year.
Pescatore also says startups such as Vericept, SilentRunner and Niksun are working to fill the monitoring void by offering software that cooks traffic patterns down to a simple alert.
"The key is to collect the data [and] rebuild 1,000 events into one incident," says Pescatore.