Know The Enemy Within

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Have you ever wondered about exactly how much of a threat your users are to your organization? Well, wonder no more, as an in depth study by Queens University, Belfast and SurfControl of threats in the workplace has highlighted exactly what they are as well as users’ attitudes to those threats, and what’s behind them.

The fact is that we all know the kind of activities that users get up to if they are not closely monitored and controlled, but the scale of it and the threat that it represents may be seriously underestimated.

So what are the main threats identified by the survey, and what can you do to mitigate them? Lets take a closer look at the top 5 security issues highlighted, and at effective measures to counter them.

Many love a good email forward, and in many organizations, Outlook is the new office water cooler, the virtual meeting place to share the latest scandal. The survey results confirm that our national pastime continues unabated in the workplace, with 40% of users admitting to emailing office gossip, and 66% sending confidential information via email, putting the UK at the top of the league for inappropriate use of email.

The very real danger that this brings – be it intentionally or unintentionally – is that email can fall into the wrong hands. Email is generally not secure and can be intercepted, or, as has been illustrated by many very public examples an email can be forwarded in vast numbers to an uncontrolled audience in a very short period of time.

We’ve all heard of cases where gossip-related emails which were initially intended for a single recipient have fast spread throughout – and far beyond – the workplace, spreading virally and becoming truly global. Imagine the potential business implications if the same outbreak occurred with sensitive business-related information that 66% of people are busily emailing around.

Given the immediate nature of business communications, organizations need to put in place tools and policies to mitigate email risk. Email filters are the simplest and most effective means of achieving this, monitoring traffic for sensitive and inappropriate content, and preventing it from leaving the company network. This provides clear, granular control over network security to meet regulatory compliance and ensures that email policy is adhered to and enforced across the organization.

Another major headache for businesses is the issue of employees downloading pornographic material onto their work PC or laptop – a business minefield which brings serious legal, HR and IT security implications. The security survey revealed that 11% of employees use their company laptop to download and access pornography.

Not only do organizations have a legal obligation to protect staff against offensive material such as pornography, the websites used to download porn are also notorious for introducing malware onto the user’s computer and network – Trojans, key loggers and spyware capable of collecting sensitive individual and company data.

To protect against this, organizations need to have in place a comprehensive Web filtering solution to monitor network use and prevent access to unsuitable sites and malicious URLs. This gives the organization greater visibility of network usage, reduces risk, ensures regulatory compliance and helps to guarantee ongoing business continuity.

USBs: a data MP3 for all
With the rise in the use of USB devices such as MP3 players, memory sticks and digital cameras comes another threat – that of pod slurping. A staggering 75% of employees questioned in the survey use USB devices on their company PC or laptop – portable media storage devices which can be used to take confidential company information and business data off the network.

Organisations need a clear and robust acceptable usage policy set up to protect its intellectual property, but it’s essential to back this up with an equally robust security solution capable of filtering and monitoring employee activity.

The right filtering tool will support your company and help to protect its assets against the potential threats posed by the latest technological developments and media trends, without impacting on business operations and productivity.

The latest tools control and block outbound USB data connections as part of a comprehensive user management solution, and can offer granular security and access levels, segmented by user and by PC, to guarantee an optimum balance between network security and business productivity.

Does out of the office = out of control?
The study found that laptop users consistently displayed greater levels of risky behavior – 11% download porn, 34% download music, 20% play games; all greater proportions than for desktop users. This represents a significant threat, and is a frequent gateway through which malware can enter the corporate network.

Greater risk needs greater precautions and protection, and organizations must ensure that all security policies, filtering software and USB controls are as rigorously applied to company laptops as they are to office-based PCs. Naturally, at the same time, it’s also essential that errant laptop users and mobile workers are made aware of Acceptable Usage Policy, and what exactly they can and cannot access over the corporate network.

Security: Whose job is it anyway?
The global security survey also revealed that security updates all too often fall through the gaps, and that there was considerable uncertainty as to whose role it was to implement security checks and updates.

62% of respondents believe the responsibility for IT security lies squarely with the IT department, whereas the bleak reality is that only 35% of IT departments proactively carry out any upgrades to anti-spyware software, leaving the employee and company vulnerable to attack.

In truth – everybody has their part to play. Users must be educated in what constitutes risky and unacceptable behavior through clearly communicated Acceptable Usage Polices.

Implementing effective network security that monitors and prevents risky behaviors is the responsibility of the IT department. The choice of security solutions, and the update policy to manage new threats must be tailored to the needs of the organization and extend out to cover mobile users – clearly a major source of risk.

The latest generation of solutions are making life increasingly easier in this respect. For example opting for a managed service option provides on-demand security for office-based and mobile workers and ensures the very latest updates are all in place, to guarantee optimum security and meet the agreed SLA.

However it is unlikely that a single solution will provide all the protection required and organizations must ensure they have a multi-layered approach – often mixing service and product based solutions that can deliver high-end security functionality for Web, e-mail and mobile storage devices, to mitigate against risk and protect the business – keeping your intellectual property close, and the threats to it even closer.