>Who is the weakest link?

>How to protect your business from employee IT misuse

Now part of Symantec

>CONTENTS

>Who is the weakest link? >P1

>Staff misuse >P1

>Insider attacks >P3

>Why does misuse occur? >p3

>Technology vs. misuse >p4

>The MessageLabs solution >p5

>Policy and procedure recommendations >p6

 >Who is the weakest link?

When it comes to security, your staff may be the weakest link in the
chain. Neglect peopleware at your peril because the best technical
security measures on their own will not protect you from a malicious
or negligent employee. At the same time, the right security services,
combined with training, policies and procedures, can make your business
safer.

A company This matters because IT security – protecting information and systems

is only as from misuse – is multi-dimensional. A company is only as secure as the
secure as weakest link in the defences that protect it.

the weakest The cost of failure is high. The vast majority of businesses have
link in the confidential information that they need to protect, and they have IT
systems which are business critical. Nearly three-quarters (72 percent) of
defences that British companies with 50-500 staff suffered at least one security breach
protect it. in the last year. In fact, according to BERR’s 2008 Information Security
Breaches Survey1, they suffered an average of 15 incidents. Serious
incidents cost companies £90-170,000.

>Staff misuse

The commonest forms of staff misuse of IT systems are “visiting

inappropriate websites, excessive browsing and sending inappropriate
email,” according to the BERR Survey. Some incidents are deliberate
criminal acts but most are the result of poor judgement combined with
ineffective controls and policies. Incidents range from the relatively minor
to potentially catastrophic breaches of laws and regulations.

Problems included:

• Misuse of web access. Employees access inappropriate websites,

such as porn sites. Others waste time on internet gambling, social
networking and other diversions. Yet others download illegally
pirated software and music. Besides the productivity hit and legal
liabilities, this activity wastes expensive bandwidth that might be
needed for pressing business requirements.

• Malware infections. Virus and spyware infections still happen

and, thanks to targeted trojans, there is a risk that they can evade
signature-based anti-virus programs. Not only does malware cost
a lot of clear up but it also raises the risk of data theft if spyware
transmits confidential information to outsiders.

1
• Misuse of email access. When someone at work forwards an
offensive image that creates a hostile workplace, it is a problem
for their employer and their colleagues. Similarly, they can easily
use email to transmit confidential information such as industrial
or trade secrets, medical records, legal information or personally
identifiable information. Email can contain libel and accidentally
create contracts. Inappropriate emails hold companies’ reputations at
risk too – remember the infamous Yum Yum emails?

• Breach of confidentiality. When company intellectual property

(designs, plans etc.) or confidential customer data leak through staff
misuse, the consequences may be severe. There are heavy fines for
breaches of regulations and data protection laws. News reports of
major breaches erode customer trust and confidence.

• Poor user judgment. Sometimes well-intentioned do stupid things

– they click on links in phishing emails, open dodgy attachments,
post disobliging things on blogs and so on. Many users either don’t
appreciate the risks or think they are immune. Without effective user
training, proper policies and the technical means to enforce them the
risk of user error increases significantly.

These widespread problems can have serious consequences:

• Legal risks. When users download inappropriate or offensive material

to their computers, they may contribute to a hostile environment for
their colleagues. This creates legal liabilities for managers. Employees
who feel harassed by this kind of material can resign and claim
constructive dismissal. Damages awards in discrimination claims are
potentially unlimited, and several high-profile cases have hinged on
sexist emails and public displays of pornography.

• Wasted bandwidth. Internet connections cost money. If half your

bandwidth is taken up with non-work traffic, you’re paying twice as
much as you need to, or your business-critical communications are
running at half their proper speed.

• Reputation risk. Social networking can create opportunities for

employees to leak confidential information or spread damaging
rumours online. Bad behaviour by a single employee can reflect on
the reputation of the whole organisation.

Security Breaches Survey: www.security-survey.gov.uk

1

2
>Insider attacks

Deliberate attacks by insiders are rarer than low-level staff misuse and
accidental damage but it is a problem because the consequences are
worse. Eight percent of large UK companies reported unauthorised access
to systems or data by insiders, according to the BERR Survey. The 2007
E-Crime Watch2 Survey in the US found that insiders committed 31
percent of e-crime3.

CERT’s analysis4 of 190 insider crimes found that sabotage, financial gain
and business advantage were the main motivations. Examples include
a former vice president copying a customer database and taking it to
another job, employees committing credit card fraud with confidential
customer records, and one individual deleting over 10 billion files on the
company’s servers.

This type of e-crime carries a serious business risk. Sabotage is expensive

to detect and repair, and it can disrupt business operations. Data theft
brings competitive disadvantage, while losing confidential data can wreck
a company’s reputation and abruptly terminate people’s careers.

>Why does misuse occur?

The most common kinds of problem occur when employees blur the
boundary between their personal behaviour and what is okay in the office.
Companies contribute to the problem if they don’t have clear guidelines
or communicate them properly. Failure to enforce policies consistently
can make a bad situation worse.

Serious insider e-crime often happens when people are unhappy at work,
when they quit their job or when they are thinking about it. In fact, 95
percent of the employees who stole information for business advantage
resigned before or after the theft, according to CERT.

Individual employee misbehaviour is part of a wider problem caused by

companies taking too narrow a view of internet and email misuse.

2
2007 E-Crime Watch Survey conducted by the United States Secret Service, the CERT® Coordination
Center (CERT/CC), Microsoft and CSO Magazine.

Percentage of reported e-crime where the perpetrator was identified.

3

4
Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1.
http://www.cert.org/insider_threat

3
 Evidence of this problem includes:

• Underestimating the insider threat

• Focusing too heavily on external threats and perimeter defences

• Not giving insider threats sufficient attention in risk analysis or

security plans
Internet • A failure to back up acceptable use policies with monitoring and
misuse could enforcement technology
be happening • The absence of reporting systems to track staff misuse
in your company
right now and • No plans or ability to collect evidence, such as system logs, to
investigate problems
you may not
know about it When it comes to staff misuse of the internet, under-reporting is
widespread. In the words of Carl Sagan, “Absence of evidence is not
or have the evidence of absence.” In other words, internet misuse could be happening
right tools in your company right now and you may not know about it or have the

to prevent it.
right tools to prevent it.

>Technology vs. misuse

“Insiders can be stopped, but stopping them is a complex problem,”

according to the E-Crime Watch Survey. The problem requires an
overlapping, layered response that includes appropriate technical
measures, an acceptable use policy, enforcement procedures and staff
training. A mix of hardware, software and peopleware is necessary.

Technology, on its own, is necessary but not sufficient. However, many

companies fail to deploy technology that can help them stop casual
misuse and deter insider e-crime. For example, according to the BERR
Survey of large companies, 35 percent have no control over staff use
of instant messaging and 84 percent do not scan outgoing emails for
confidential data. A significant minority (19 percent) do not block access
to inappropriate websites or log and monitor web access (14 percent).
Around 40 percent of companies lack the ability to encrypt emails to and
from their main business partners. When good off-the-shelf solutions,
such as MessageLabs services, exist for all these problems, it makes no
sense for a company to ignore them.

While nearly all companies now have some kind of spam and virus
filtering on their email, there is a big difference between the best and
worst solutions available. For example, independent research5 shows that
MessageLabs gives its customers unrivalled real-time protection, even
from the newest threats.

The Accuracy Project, December 2008

5

4
>The MessageLabs solution

MessageLabs offers a range of in-the-cloud services that help companies

protect themselves from staff IT misuse.

Threat How MessageLabs helps

Data loss from MessageLabs Email and Web Anti-Virus services

spyware deliver total protection from malware, including
customised and targeted trojans that are designed
to steal confidential information from specific
companies.
Data loss Email Content Control can scan outgoing messages
to prevent confidential information leaks.
Data privacy Email Encryption ensure that confidential emails
stay confidential. The system ensures that the
contents are readable only by the intended
recipients
Cyberslacking Web URL Filtering lets you block inappropriate
websites in a consistent way across the company
to comply with your acceptable use policies. It also
lets you monitor employee usage if required.
Lost productivity Spam is a waste of users’ time. The MessageLabs
SLA specifies a 99 percent spam capture rate, with
a 0.0003 percent rate of false positives.
Legal liabilities Image and content scanning on incoming email
and websites prevents inappropriate content
coming into the company, reducing the risk of
creating an offensive working environment for
staff, and scans outgoing emails so that your
employees can’t damage your reputation and
brand with them.
No oversight of MessageLabs Secure Instant Messaging (IM) Service
instant messaging creates a secure, corporate alternative to consumer
IM services, allowing you get the benefits of IM
without the risks.
Lack of consistency All MessageLabs services are managed from a
single website control panel, making it easy to
apply and enforce consistent policies across the
whole organisation.
Invisibility of Thanks to advanced reporting tools, MessageLabs
problems services make it easier to spot and investigate
problems. This allows IT managers to get a better
picture of employee misuse and take more
effective action against it.

5
>Policy and procedure recommendations

There are some basic steps you can follow to protect your business from
staff misuse. Here are ten tips:

1. Use security technology, such as MessageLabs services, to

enforce policies, prevent malware infections and protect sensitive
information.

2. Include insider threats and employee misuse in your business risk

assessments and security plans, including response plans.

3. Put a clear, pragmatic and comprehensive Acceptable Use Policy in

place. Ensure that employees understand it. Review and update it
regularly so it keeps up with emerging threats and problems.

4. Train staff about your Acceptable Use Policy and internet security on
a regular basis.

5. Ensure that managers and HR are aware of the risk of disruptive and
disgruntled employees, especially when they are in ‘exit mode.’

6. When someone quits, make sure that their access to company IT

systems is terminated immediately.

7. Operate a ‘need to know’ and ‘need to access’ policy, enforcing

the principle of least privilege so that people can’t access more
information than they need to do their current job.

8. Enforce strict password policies.

9. Track company IT assets and restrict physical access to secure areas,

such as server rooms.

10. Log, monitor and audit employee online actions (but get legal advice
and follow guidelines).

Alongside robust policies and procedures, MessageLabs services can be

more effective than in-house solutions or other outsourced providers.
Taking a holistic view and using the best security technology available will
make sure that your staff are not the weakest link.

For more information or to register for a free trial, please visit

www.messagelabs.co.uk/products

6
>www.messagelabs.co.uk
>info@messagelabs.com
>Freephone UK: 0800 917 7733
>EUROPE
>HEADQUARTERS
1270 Lansdowne Court
Gloucester Business Park
Gloucester, GL3 4AB
United Kingdom
Tel +44 (0) 1452 627 627
Fax +44 (0) 1452 627 628
Freephone 0800 917 7733
Support: +44 (0) 1452 627 766
>LONDON
3rd Floor
40 Whitfield Street
London, W1T 2RH
United Kingdom
Tel +44 (0) 20 7291 1960
Fax +44 (0) 20 7291 1937
Support +44 (0) 1452 627 766
>NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801
Support +44 (0) 1452 627 766
>BELGIUM/LUXEMBOURG
Cullinganlaan 1B
B-1831 Diegem
Belgium
Tel +32 (0) 2 403 12 61
Fax +32 (0) 2 403 12 12
Support +44 (0) 1452 627 766
>DACH
Feringastraße 9a
85774 Unterföhring
Munich
Germany
Tel +49 (0) 89 203 010 300
Support +44 (0) 1452 627 766
© MessageLabs 2009
All rights reserved
>AMERICAS >ASIA PACIFIC
>HEADQUARTERS >HONG KONG
512 Seventh Avenue Room 3006, Central Plaza
6th Floor 18 Harbour Road
New York, NY 10018 Wanchai
USA Hong Kong
Tel +1 646 519 8100 Tel +852 2528 6206
Fax +1 646 452 6570 Fax +852 2111 9061
Toll-free +1 866 460 0000
Support +1 866 807 6047 >AUSTRALIA
Level 6
>CENTRAL REGION 107 Mount Street,
7760 France Avenue South North Sydney
Suite 1100 NSW 2060
Bloomington, MN 55435 Australia
USA Tel +61 2 8208 7100
Tel +1 952 886 7541 Fax +61 2 9954 9500
Fax +1 952 886 7498 Support +1 800 088 099
Toll-free +1 877 324 4913
Support +1 866 807 6047 >SINGAPORE
Level 14
>Canada Prudential Tower
First Canadian Place 30 Cecil Street
100 Kings Street West, Singapore 049712
37th floor Tel +65 6232 2855
Toronto, ON M5X 1C9 Fax +65 6232 2300
Tel+1 646 519 8100 Support +852 2111 3658
Fax +1 646 452 6570
Toll-free +1 866 460 0000 >Japan
Support +1 866 807 6047 Bureau Toranomon 3rd Floor
2-7-16 Toranomon Minato-ku
Tokyo 105-0001
Japan
Tel +81 3 3539 1681
Fax +81 3 3539 1682
Support +852 2111 3658
Now part of Symantec