Enterprises searching for the answers to their security problems should increasingly take a closer look at their internal operations before blaming outside threats, according to experts participating in an online IT security conference.
Speaking as part of Ziff Davis Media eSeminars Security Virtual Tradeshow, industry watchers conceded that applications such as e-mail clients, file-sharing systems and instant messaging platforms continue to pose serious problems for those people charged with protecting corporate IT networks and information.
However, the collection of consultants, analysts and vendors participating in the event said that the issue of workers who purposefully or inadvertently ignore security policies has also proven to be one of the hardest obstacles to overcome in increasing corporate security.
“Its a tough question to answer but one that must be dealt with,” said Howard A. Schmidt, a former chief security officer at Microsoft and one-time strategist for the U.S. Department of Homeland Security.
“Companies tend to hire people they think they can trust, so dealing with the issue of insider threats is a longtime debate; but its clear that disgruntled employees are as likely to attack networks as insiders, and then theres the more widespread issue of security policy negligence.”
Despite having security policies in place to help protect against such internal problems, Schmidt said that most have very limited capacities for tracking down the cause of potential attacks or figuring out just which employees are bypassing security guidelines and putting corporate data at risk.
A prime example of the sort of threat Schmidt is talking about can be found in many of the reported cases of consumer data theft that have been tied to stolen laptop computers, he said, because in many of those cases the sensitive customer information involved was not supposed to be on the devices in the first place.
The industry expert, who currently serves as the chief executive of R & H Security Consulting LLC, even suggested that companies need to begin legally pursuing employees who endanger their companys security by breaching established policies.
“[Enterprises] must hold people responsible when they do something wrong or something comes from their computer, they must have a way to effectively gather evidence and be willing to prosecute,” Schmidt said.
“Companies also need to make sure that they have relationships with law enforcement; when something goes wrong, thats not the time to try and figure out who you need to speak with.”
Other experts agreed that there is an ongoing shift toward tightening internal security within large companies based largely on executives fears of being the next firm highlighted in the news as having put its customers information at risk.
Andres Kohn, vice president at security applications vendor Proofpoint, said that customers are more frequently citing widely publicized security breaches at other firms as their inspiration for investing in new technologies.
Workers Mistakes
For the most part, said Kohn, his clients are scared more by the prospect of workers who mistakenly circumvent security policies, rather than people with some sort of ax to grind.
“All kinds of sensitive information is being let out accidentally when people dont really understand what theyre doing, but thankfully this risk can be mitigated using technology,” said Kohn.
“The top priority for many firms has become training, and some companies are more actively investigating the cause of issues and penalizing employees for their mistakes, and all of this can help improve the situation.”
The experts said that the best way for companies to immediately improve their internal security controls is to thoroughly revisit corporate policies, and the manner in which guideline are conveyed to employees.
Handing someone a thick stack of documents when theyre hired and expecting them to understand all the contents within isnt practical, the industry watchers said, so firms should be smarter in the ways they inform employees of what any rules may be.
One way to do this is to make information security a more high-profile element of most workers responsibilities and to train people specifically on the potential security implications of their individual jobs.
By making policies directly applicable to the tasks and IT tools that workers use every day, people are bound to become more aware of making potential mistakes, they said.
“The important questions are whether companies are using the right types of policies, and whether they have the right tools in place to ensure these are being effective,” said Kohn. “And security policy needs to be a living thing that changes as your business changes.”
Researchers with PricewaterhouseCoopers detailed the findings of their most recent information security survey at the eSeminar, a study that involved interviews with more than 8,200 IT executives conducted during mid-2005.
According to the report, only 37 percent of all companies interviewed had an overarching security strategy, while 24 percent said they were in the process of creating such a plan.
Unsurprisingly, those firms who employed a chief security officer were far more likely to have completed the policy work, with 62 percent of those firms reporting that they have already established internal guidelines.
While offering no statistical evidence to illustrate the point, PricewaterhouseCoopers said that those companies also had far fewer security breaches and less network downtime.
“If you promote security to the [senior executive] level, theres proof that there are lower numbers of intrusions and other problems,” said Mark Lobel, a partner with PricewaterhouseCoopers.
“What we found is that companies need to realize that its time to get proactive versus reactive, and link security strategy of the top levels of their businesses.”