An impromptu street survey in London earlier this year revealed that almost three-quarters of office workers were willing to surrender their electronic passwords when bribed with mere chocolate bar. The survey, conducted by the organisers of the Infosecurity Europe conference, also found that the majority of workers would take confidential information with them when they changed jobs, and wouldn’t keep salary details confidential if they discovered them.
Just as alarming is the revelation that four out of 10 employees knew their colleagues’ passwords; 55 percent said they’d give their password to their boss; two-thirds use the same password for work and for personal access such as online banking; and many workers who regularly change their passwords keep them on piece of paper, or stored on Word documents.
Are New Zealand’s office workers similarly loose minded with their passwords? We may never know the answer, but what this survey highlights is that the greatest threat to business security comes from within, rather than outside the organisation. From the workmates just outside your office door.
Malicious intent
Computer viruses, worms, blended threats and hackers are uppermost in business owners’ minds in New Zealand. This preoccupation was reinforced by survey conducted by the Employers & Manufacturers Association (EMA) on behalf of Symantec earlier this year. staggering 63 percent of small businesses have been affected by malicious attacks, with only 17 percent of the respondents running anti-virus software. Larger organisations with much greater resources and IT budgets can ill-afford to be complacent either – the Sasser worm, for example, has brought organisations as large as the US Coastguard to their knees.
“The biggest vulnerability for larger companies is when viruses are introduced to the company network via portable device such as notebook or PDA,” says Richard Batchelar, Symantec’s New Zealand manager. “A CEO returns from Hong Kong, plugs his laptop into the company LAN, and bingo, the bug is fired into what was considered bulletproof network.”
And, it is not enough to install firewall. Hackers can purchase the same equipment and exploit any vulnerabilities, says Batchelar. Companies must have up-to-date protection and when installing new firewalls must reset and reconfigure their systems immediately, rather than just instigate new set of policies and rules, which essentially leave the door open to outside threat.
Keeping your organisation safe is not just about putting up single perimeter fence or layer. To repel attacks you need the IT equivalent of multiple locks and alarms – such as monitored firewalls, content filters (to eliminate undesirable emails/downloads, and unsolicited email or ‘spam’), and virus scanners – which can be updated hourly to cover people working after-hours.
And then there is ‘proactive security’.
Proactive security involves vulnerability assessment, intrusion detection, decoy servers – which Batchelar calls “a wall in front of your wall”, and most importantly, being aware that your biggest threat is indeed the employee already inside the wall.
“A lot of people are looking from the outside-in when really they should look from the inside-out,” warns Batchelar. “A ‘one-click’ nanosecond response to an email can set off hours, if not days of downtime for an enterprise and productivity.” Banks and financial institutions are especially hot on programmes that teach staff about the dangers of cyber-space.
Symantec markets software products as well as plug-in appliances that aren’t reliant on an operating system. These devices slot-in next to server and provide multi-layered security that can be replicated at other branches of the organisation.
“Integration is where everyone is heading,” says Batchelar. “Companies don’t want to individually manage, educate, and administrate each individual security solution.”
Managers must, therefore, be aware that today’s operating systems are definitely insecure and vulnerable. They must also identify exactly what they’re trying to protect within the organisation. “Often to stay up and running it may only require an up-to-date firewall and virus scanner,” he adds.
Unsafe surfing
While viruses can cripple an organisation, spyware can compromise security, consume bandwidth and slow networks to crawl. Spyware is software that reports web surfers’ activity surreptitiously back to third-party websites. There are programs that sniff out installed spyware, but monitoring user web activity and applying appropriate filtering technology can nip the problem in the bud.
Spam, another undesirable making the headlines, can also be blocked by filters. According to Gary Sexton, Brightmail’s vice-president for Asia Pacific, the difference with spam is that it is commercially driven and only occurs through the email gateway. Like viruses, it must be dealt with at the gateway.
Spam is insidious. The CEO of large Hong Kong business was reportedly receiving 5000 spam messages day. Some 64 percent of email in New Zealand is spam, and that figure is expected to top 80 percent by year-end.
Spam can compromise an enterprise, primarily because it exposes workers to cyberspace nasties. Any electronically e-enabled business should regularly update anti-spam software.
Changing mindsets
Enterprise security is not just technical issue, according to KPMG Audit and Risk Advisory partner Graeme Sinclair and director Rupert Dodds. Rather, it requires change of staff mindset. “It’s about getting people to act in sensible manner, ensuring that passwords and equipment are always secure. When you leave parked car you always make sure it’s locked – it’s that kind of mentality,” they say.
KPMG recognises that effective security solutions must involve people to make them work, and processes to ensure consistent and effective operation. It has an enterprise security capabilities model to make sure that all elements of security strategy fit together and are mutually reinforcing. This holistic approach prevents holes appearing in an organisation’s defences.
“There is also myth that security prevents you doing things,” say Sinclair and Dodds. “But on the plus side, it engenders trust between companies. Company is more likely to deal with Company B if their security standards are on par.”
The consultants believe that small to medium-sized businesses should consider outsourcing their security requirements. Larger organisations can employ full-time security managers who understand the complete picture and the risks based around the value of the information being protected.
Sinclair and Dodds believe businesses now appreciate the value of their information – not so even three years ago. Provided security systems are correctly installed, configured, managed and monitored, it’s with people and processes where the most improvements can be made.
“Security can be compared to layers of Swiss cheese – if the holes line up you’re in trouble,” they say. KPMG can assess security processes and vulnerability using techniques similar to hacker’s.
Security conscious
But when it comes to managing security arrangements, too few organisations are pro-active and too many rely on past experience as measure of attack likelihood and impact, according to Keith Davis, an international security specialist who runs KD Consulting in Christchurch.
Working for large corporates overseas and carrying out security reviews for Lloyds Underwriters, Davis comes across many enterprises that install access control and alarm systems and CCTV surveillance, but then fail to manage them properly.
“You may think that the security systems and procedures you already have in place will do the job,” he says. “But you need to work with an independent security consultant to know with absolute certainty that they are being maintained and used effectively, from both cost and operational standpoints. Look at what you are protecting, look