Professional Documents
Culture Documents
When it comes to security, your staff may be the weakest link in the
chain. Neglect peopleware at your peril because the best technical
security measures on their own will not protect you from a malicious
or negligent employee. At the same time, the right security services,
combined with training, policies and procedures, can make your business
safer.
the weakest The cost of failure is high. The vast majority of businesses have
link in the confidential information that they need to protect, and they have IT
systems which are business critical. Nearly three-quarters (72 percent) of
defences that British companies with 50-500 staff suffered at least one security breach
protect it. in the last year. In fact, according to BERR’s 2008 Information Security
Breaches Survey1, they suffered an average of 15 incidents. Serious
incidents cost companies £90-170,000.
>Staff misuse
Problems included:
1
• Misuse of email access. When someone at work forwards an
offensive image that creates a hostile workplace, it is a problem
for their employer and their colleagues. Similarly, they can easily
use email to transmit confidential information such as industrial
or trade secrets, medical records, legal information or personally
identifiable information. Email can contain libel and accidentally
create contracts. Inappropriate emails hold companies’ reputations at
risk too – remember the infamous Yum Yum emails?
2
>Insider attacks
Deliberate attacks by insiders are rarer than low-level staff misuse and
accidental damage but it is a problem because the consequences are
worse. Eight percent of large UK companies reported unauthorised access
to systems or data by insiders, according to the BERR Survey. The 2007
E-Crime Watch2 Survey in the US found that insiders committed 31
percent of e-crime3.
CERT’s analysis4 of 190 insider crimes found that sabotage, financial gain
and business advantage were the main motivations. Examples include
a former vice president copying a customer database and taking it to
another job, employees committing credit card fraud with confidential
customer records, and one individual deleting over 10 billion files on the
company’s servers.
The most common kinds of problem occur when employees blur the
boundary between their personal behaviour and what is okay in the office.
Companies contribute to the problem if they don’t have clear guidelines
or communicate them properly. Failure to enforce policies consistently
can make a bad situation worse.
Serious insider e-crime often happens when people are unhappy at work,
when they quit their job or when they are thinking about it. In fact, 95
percent of the employees who stole information for business advantage
resigned before or after the theft, according to CERT.
2
2007 E-Crime Watch Survey conducted by the United States Secret Service, the CERT® Coordination
Center (CERT/CC), Microsoft and CSO Magazine.
4
Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1.
http://www.cert.org/insider_threat
3
Evidence of this problem includes:
to prevent it.
right tools to prevent it.
While nearly all companies now have some kind of spam and virus
filtering on their email, there is a big difference between the best and
worst solutions available. For example, independent research5 shows that
MessageLabs gives its customers unrivalled real-time protection, even
from the newest threats.
4
>The MessageLabs solution
5
>Policy and procedure recommendations
There are some basic steps you can follow to protect your business from
staff misuse. Here are ten tips:
4. Train staff about your Acceptable Use Policy and internet security on
a regular basis.
5. Ensure that managers and HR are aware of the risk of disruptive and
disgruntled employees, especially when they are in ‘exit mode.’
10. Log, monitor and audit employee online actions (but get legal advice
and follow guidelines).
6
>www.messagelabs.co.uk
>info@messagelabs.com
>Freephone UK: 0800 917 7733
>DACH
Feringastraße 9a
85774 Unterföhring
Munich
Germany
Tel +49 (0) 89 203 010 300
Support +44 (0) 1452 627 766