Enterprise Services Blog
Get the latest thought leadership and information about the role of Enterprise Services in an increasingly interconnected world at HP Communities.

Innovation INSIGHT on Security: 3 ways to safeguard against employee sabotage

By John Diamant, Distinguished Technologist, HP Enterprise Services

 

All it took was four low-level employees and one convincing email. One click, and the damage was done, to the tune of $66 million to clean up one enterprise’s mess.

 

“It’s actually a really good example of how one employee doing something as simple as opening an email can lead to a huge monetary and reputation loss for an organization,” says cyber security expert Dwayne Williams of the Center for Infrastructure and Security at the University of Texas at San Antonio.

 

Intentional or not, employees can sabotage enterprise security. In the example above, indications point to the possibility of overseas hackers behind the attack. That’s no surprise to the University of Washington’s Dr. Barbara Endicott-Popovsky, who is sounding the alarm about the intensity of cyber attacks on United States enterprises. “There are nation states that are stealing this country blind,” says Endicott-Popovsky, who serves as director of the university’s Center for Information Assurance and Cybersecurity. Those determined to steal U.S. secrets are doing it, in part, through employees.pinting.JPG

 

As vulnerable as a USB drive
With 80 percent of companies’ information being digitized these days, data is at risk, Endicott-Popovsky says, as employees access it each and every day. Unwitting employees may allow security breaches by carelessly clicking on spam messages or using social media at work. And disgruntled employees can walk out the door with company secrets on a thumb-size USB drive and sell it to those who want to get their cyber hands on your enterprise’s goods. “This is no joke,” she warns. “It’s monstrous what’s happening.”

 

Mobile computing has added to organizations’ vulnerability. Intentionally or not, employees aid the enemy by bringing in mobile devices, divulging personal information on social media sites, and other innocent infractions.  

About two-thirds of cybercrimes are enabled in part by the human factor, says Larry Ponemon of the Ponemon Institute. The research firm recently released its Second Annual Cost of Cyber Crime Study, sponsored by ArcSight, an HP company. The report revealed that the median annualized cost of cybercrime incurred by a benchmark sample of organizations studied was $5.9 million per year per organization, with a range of $1.5 million to $36.5 million each year per organization. More than 90 percent of all cybercrime costs among the companies surveyed was caused by malicious code, denial of service, stolen devices, and web-based attacks.

“A lot of companies think cybercrimes are typically high-tech attacks,” Ponemon says. “But the root cause of a lot of the cyber risks are people — people who are not bad, but maybe a little negligent, lazy, or not informed.”

 

How employees contribute as accomplices
He points to three top ways employees compromise enterprise security:

  1. Insecure mobile devices. Bringing a personal laptop or smartphone to the office has become common. “A lot of the devices may be grossly insecure, and the bad guys know that,” Ponemon says. 
  2. Social engineering. If cyber thieves know enough about customers, they can dupe call center and help-desk workers into divulging sensitive information. Then they can steal assets or cause a costly denial of service attack, for instance. 
  3. Spear phishing. Employees get an email that appears to be from their employer. “It knows your name, has a company logo, and may ask for security details to reset your password,” Ponemon explains. “It’s a step up from typical phishing schemes.”

A CIOInsight article points to other problem areas, including employees browsing sites laden with malware, receiving spam emails, and using unauthorized software. Having policies in place on these issues and the use of USB devices, social media, and laptops can help educate and dissuade employees from such negligent or nefarious practices. “Often, cyber criminals prey on people’s weaknesses, not technology’s weaknesses,” Ponemon says.

 

Work-arounds are a danger too
For a research project she did on a utility company that controlled a dam, Endicott-Popovsky found some employees said the right thing about IT security, but did things that left the utility vulnerable. “One guy in the mountains admitted that when bad weather affected his access to the company network, he would respond to alerts by dialing into the Internet from his home computer,” she says. “He had built a work-around that allowed him to use a public network to access a physical control system.” Not good.

 

From the well-intentioned point of view, there were good reasons to work around the system, she says, but he didn’t realize just how virulent the bad guys are. She laments that society in general doesn’t recognize how the Information Age has transformed our way of relating to others.
 
“My mother could count on one hand the people we kids should stay away from in the neighborhood. Today, there are approximately 2 billion people online who are your next-door neighbors. We’re living in this cyber community that knows no boundaries. It’s all about protecting information.”

 

Searching for solutions
So, what do you do to protect your organization?

  • Create cyber awareness. “You have to sensitize people to the problem,” Endicott-Popovsky says, advocating for a dramatic security awareness campaign in organizations. “You gotta do a wakeup call.”
  • Secure your applications.  Many legacy (and even recent) applications, have been designed with the increasingly false assumption that they don’t need strong security because they’re only accessible on restricted networks, such as corporate intranets.  However, regulations, privacy requirements, new network access models, and the potential for malware and even malicious users with access to your networks require dramatically improving application security
  • Disable access immediately during employee terminations. IT security blogger Bryan Beaty has the right idea when he suggests that while an employee is getting fired in one room, management should have a team disabling network access and shutting down passwords. So have a plan when you’re letting employees go, and keep cyber security top of mind.

Learn how to begin the journey to your secure enterprise. And for more on security that’s flexible enough for collaboration and innovation but still protects against emerging threats, view the Innovation INSIGHT webcast, “Enterprise Security and the Waves of Disruption: It’s Surf or Sink.” Check out parts 1 and 2 of the series on security: Surf or sink during IT's biggest challenge in 20 years and Unlock innovation and collaboration from legacy security networks.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author
About the Author(s)


Follow Us