Feature Stories - July 2008

Security in the Workplace

Technology Issues Threaten Business Prosperity

by Kim Becker

No business owner would leave work for the day without locking up the office first. However, they might not think twice about leaving a workstation unsecured at lunchtime or ensuring their firewall is still doing its job. With malware, spyware, adware, viruses, Trojans, worms, phishing and internal risks – it’s time for every business to review its IT strategy and security before a loss occurs.

According to the 2007 Computer Security Institute (CSI), the average annual loss reported by U.S. companies more then doubled, from $168,000 in 2006 to $350,424 in 2007. Financial fraud, virus losses and system penetration by outsiders were the three primary sources of loss. Nearly one-fifth of companies that suffered one or more security incidents reported they had been victims of a targeted malware attack, a computer program or file that is designed to be malicious such as a worm or virus, aimed exclusively at their organization.

“Most businesses can decrease the threat of system penetration through the use of firewalls, intrusion-detection devices and internal security policies,” said Frank Yoder, president and founder of Advanced Information Systems (AIS), a full-service technology solutions provider. “While firewalls are the key to filtering incoming harmful content, such as DOS attacks or floods, the majority of ‘outside’ penetration is actually enabled by a user within the company.”

Threat from Within

An estimated 50 percent of all attacks come from employees and contractors working inside a company. CSI’s 2007 survey reveals that insider abuse of network access or email was the biggest security issue, with 59 percent of respondents reporting incidents. Security breaches may result in lost income, system downtime, lost work time, unexpected IT expenses, fines (particularly if a breach involves sensitive information such as medical records that could violate HIPAA), legal issues (for illegal downloads and copyright violations) and an erosion of trust.

“All companies should have a solid acceptable use policy in the employee handbook that should state what the owner wants employees to be able to do or not do with company owned equipment,” said Jon Perry, co-owner and senior technology officer for STING Surveillance, a Henderson-based provider of security systems and technology solutions. “Once the owner identifies acceptable usage, it is often up to the IT staff or vendor to formulate and execute a plan.”

IT staff should work closely with human resources, department heads and executives to determine just how much access each employee needs. Risk must be measured against how a business operates. “Some company owners do not care whether an employee is instant messaging her boyfriend on company time as long as her work gets done, while others may have an issue with this type of use of their equipment,” said Perry.

Without a solid acceptable use policy in place, a business could be opening itself up to risk and liability if sensitive information gets into the wrong hands. If an employee is using a company computer to shop online, visit Web sites or download music and games, there’s a chance that adware, spyware or malware could be introduced to the network.

“Not all identity theft or security breach problems happen from malicious intent. We are human and we make mistakes which include pushing the wrong button on an e-mail or simply being unaware that we are putting our company or people at risk by sharing too much information,” said Adrienne Whisler, certified identity theft risk management specialist and owner of Identity Theft Defense Solutions, a company that helps businesses create a culture of security by providing employee training on issues related to security and identity theft. “Businesses need to protect themselves by showing they took reasonable steps and trained their employees in the first place or they can be held liable, even for accidental breaches.”

A Legal Matter

Whisler says if a company does nothing to train its employees, has no written policies signed by the employees, and does not offer them any kind of protection as a benefit, then they are placing themselves at risk for lawsuits, penalties and fines.

“Personally, I think that’s fair,” she said. “If you have my information, whether an employee or client, you need to protect it and train those handling it.” From a legal perspective, clearly written workplace computer and Internet policies are extremely important for any business. According to Ann Morgan, a partner with Jones Vargas, a Nevada law firm providing litigation, transactional and government relations services, policies are critical in preventing employee privacy claims.

“Claims arise where an employer relies on information from the employee’s computer in disciplining or terminating an employee,” she said. “The Ninth Circuit Court of Appeals found that an employee who had accessed child pornography from a workplace computer had no expectation of privacy even though he had a lock on his office and an individual password to log into the system. Why? His employer had disseminated a computer use policy stating that workplace computers were company owned and were not to be used for activities of a personal nature. It helped the case that the employer told employees that it routinely monitored the employees’ Internet use and actually did so.”

Manning the Gates

Securing data is critical, but not all businesses are monitoring activity. The Ponemon Institute, an organization that conducts independent research and educates leaders from the private and public sectors, released the results of a 2007 survey that indicate businesses are facing big challenges in securing sensitive data. Forty percent of survey respondents, which included IT professionals worldwide, said their organizations do not monitor their databases for suspicious activity or do not know if monitoring even occurs.

Once again, insiders’ ability to compromise data was the most serious concern, with 57 percent of respondents indicating inadequate protection against malicious insiders and 55 percent citing data lost by internal entities.

But businesses of all sizes must be proactive rather than reactive. Yoder said it usually takes a tech-minded person to understand where potential threats are located. For smaller companies with no IT staff, a security consultant should be brought in to analyze existing infrastructure and software to protect from security breaches.

David Meteyer, vice president at Holman’s of Nevada, a firm that provides computer hardware and supplies, and technology solutions, says technical advances change so quickly that only a company whose singular purpose is to stay ahead of changes in the industry is in the best position to protect a firm whose business isn’t technology oriented.

“When investing in an outsourced IT company, business owners should look for a company that is proactive in their strategy rather than one that employs a reactive strategy,” he said.

Mobile Devices = Big Risk

In February 2008, a laptop containing the names and medical information of 2,500 patients participating in a clinical trial was stolen from the locked truck of a National Institute of Health employee’s car. The information on the laptop wasn’t encrypted. And while the theft appeared to be random, it nonetheless occurred just a year after a similar theft of a laptop from the home of a Department of Veterans Affairs employee, raising concerns about privacy and acceptable use. Mobile devices, such as laptops, cell phones with browser capabilities, and flash drives, are high risk for theft and loss, so businesses and organizations must craft strong policies on what kind of sensitive information can be stored on them and how they can or cannot be used.

“An acceptable use policy needs to include ‘do not bring flash drives to work.’ These drives are extremely harmful because they can come from anywhere, are possibly infected with unwanted materials, and are then given local access to your infrastructure when your employee plugs them in,” said Yoder. “Secondarily, it allows your employees to potentially take important data, such as trade secrets, out of your environment and take them home.”

Since most computers are equipped with CD burners or USB ports, sensitive data can be easily removed or transferred via a flash drive or a CD. “Having a good security plan to secure the data and restrict it at the network security level is important,” Perry said. “Some companies may consider disabling USB ports on certain workstations and disabling access to email other than Outlook.”

Companies must assess how much monitoring they are willing to do and to what extent. This might include tracking content, reviewing computer files, and monitoring the Internet and social networking sites. The latter is to see what employees might be writing about the company on discussion groups or blogs.

Who’s Watching?

According to the 2007 Electronic Monitoring & Surveillance Survey from the American Management Association, more than one-fourth of employers have fired workers for misusing email and almost one-third have fired employees for misusing the Internet. Of the companies that monitor email, 73 percent said they use technology tools to do it while 40 percent have individuals read and review it manually.

“I would not monitor all activity,” said Yoder. “I would monitor downloaded files, block file sharing programs and filter Web sites, but I would not suggest monitoring all Web sites that an employee visits. It could create a large log file where you could miss something more important, like the fact that your employee is downloading large videos or MP3s from the Internet and exposing your infrastructure to unwanted content and your company to MPAA lawsuits.”

Perry too says the level of monitoring is up to the business owner. He thinks it comes down to how strict the employer wishes or needs to be.

“Prioritize. Consider how much money and time you want to put into tracking and tagging employee computer use and determine if it makes sense,” he said. “If you want to see if your employees are going to their MySpace pages all day, you can certainly install software that logs that activity. It’s all up to the owner and whether they want to take a proactive or reactive approach.”

Whatever approach employers choose to take, their employees should be made aware so they will know what is and what is not acceptable in the workplace. Training is important too, especially so they will know how to detect, handle and report suspicious behavior from others.

Social Engineering

Social engineering is a term used for deceiving and duping people into revealing confidential information. The term and the practice were created by hackers who often know just as much about human nature as they do about cracking code. Kevin Mitnick, the best-known and most prolific hacker of the 1990s, was perhaps the pioneer of social engineering. He easily gained access to countless computer networks to steal intellectual property primarily using this method.

It works something like this: The hacker poses as a high-ranking company employee, IT department employee or outside consultant, usually over the phone. They shrewdly gain the confidence and trust of an employee through charm or trickery and coax them into revealing their password, usually to help resolve a non-existent tech problem. If they succeed, the company’s network is suddenly in jeopardy.

“Educating employees is the single best defense against anyone compromising their account,” said Meteyer. “Remember, there is no legitimate reason why anyone should need to ask for an employee’s password.”

Whisler suggests companies have a policy in place that any time someone requests the password of any employee; the employee must inform human resources.

“I believe most businesses want to protect their employees and their customers,” Whisler said. “Prevention is always better than a cure, so take the time to train your people and put those measures in place.”