Enterprises searching for the answers to their security problems should increasingly take a closer look at their internal operations before blaming outside threats, according to experts participating in an online IT security conference.
Speaking as part of Ziff Davis Media eSeminars Security Virtual Tradeshow, industry watchers conceded that applications such as e-mail clients, file-sharing systems and instant messaging platforms continue to pose serious problems for those people charged with protecting corporate IT networks and information.
However, the collection of consultants, analysts and vendors participating in the event said that the issue of workers who purposefully or inadvertently ignore security policies has also proven to be one of the hardest obstacles to overcome in increasing corporate security.
"Its a tough question to answer but one that must be dealt with," said Howard A. Schmidt, a former chief security officer at Microsoft and one-time strategist for the U.S. Department of Homeland Security.
"Companies tend to hire people they think they can trust, so dealing with the issue of insider threats is a longtime debate; but its clear that disgruntled employees are as likely to attack networks as insiders, and then theres the more widespread issue of security policy negligence."
Despite having security policies in place to help protect against such internal problems, Schmidt said that most have very limited capacities for tracking down the cause of potential attacks or figuring out just which employees are bypassing security guidelines and putting corporate data at risk.
A prime example of the sort of threat Schmidt is talking about can be found in many of the reported cases of consumer data theft that have been tied to stolen laptop computers, he said, because in many of those cases the sensitive customer information involved was not supposed to be on the devices in the first place.
The industry expert, who currently serves as the chief executive of R & H Security Consulting LLC, even suggested that companies need to begin legally pursuing employees who endanger their companys security by breaching established policies.
"[Enterprises] must hold people responsible when they do something wrong or something comes from their computer, they must have a way to effectively gather evidence and be willing to prosecute," Schmidt said.
"Companies also need to make sure that they have relationships with law enforcement; when something goes wrong, thats not the time to try and figure out who you need to speak with."
Other experts agreed that there is an ongoing shift toward tightening internal security within large companies based largely on executives fears of being the next firm highlighted in the news as having put its customers information at risk.
Andres Kohn, vice president at security applications vendor Proofpoint, said that customers are more frequently citing widely publicized security breaches at other firms as their inspiration for investing in new technologies.