The Low-Tech Attack Is Often The Best
Bit-heads such as myself tend to get hung up around the cool techie aspects of security, like data encryption and authentication systems. But many of the most important information theft attacks are based, at least in part, on the breakdown of the more human elements of security.
Could I just walk into your business, go up to one of your computers and access your data? Ive seen, even worked at businesses where this was the case. Especially early in the morning, late in the evening, or at lunch hour, offices can be vulnerable to someone with enough nerve.
The end result can be a compromise of company information, which can be a compromise of client information or employee information, or even investor information. Im sure I can think of even worse possibilities, but you get the idea.
Maybe I dont even have to sneak in. Most information compromise comes by way of "social engineering," in which the attacker takes advantage of the natural tendency in decent people to want to help others. If I were to call up your office and claim Im with your network consulting firm and I needed the person who picked up to help me run a test, would they help? This sort of thing happens all the time: "Could you log in and log out of the network please? OK, that looks fine. Could you do it again? ... Still not there... Maybe if I tried your account from here. Could I have your username and password?"
Well-meaning duped employees can be damaging enough, but think of the damage an employee could cause if they deliberately went out to rip you off. In terms of your company information, malicious employees could abuse company or customer credit cards, sell private customer information, perhaps even embezzle funds if they have access to the appropriate accounts. To some degree you have to trust your employees, so you cant prevent it, but if youre good at keeping confidential information available only to the employees who need access to it, then people will know they are more accountable for the use of that information.
You will have to rely, to an extent, on computer security to keep information private. Dont completely rely on it though. For example, if an intruder has physical access to your computers they can, with some time, gain access to the data on the computers. No physical security fundamentally means no data security. And
A related issue under the general heading of information protection is backup; if you keep your information on your computers with no effective backup, you are rolling the dice with your companys assets. Taking it a step further, to have a true sense of security with your companys data you need a secure remote backup facility. There was a time when this meant you needed to have tapes couriered to vault in a mountain, but the Internet has brought us cheap backup services (see
Distasteful as it may be, you have to think like a thief and tell your people that access to the computers and network is a matter of serious confidentiality. They shouldnt take it casually. Its an information economy; protect your assets or someone will steal them without a second thought. Spend some time thinking about what could go wrong and plan for the possibility. Some education and a little money will accomplish a lot. But the more technological you get in this, the more youll need a consultant you can trust.