As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

April 1, 2002
By Michael Bruck

Q: I have heard that one of the biggest information security threats to a company can come from within. Is this true? What exactly does it mean, and what can be done about it?

A: When people think of an information security threat or a "security breach," thoughts of bad buys, gangsters and hackers come to mind. Companies usually make sizeable investments to prevent intrusions to their systems, put protections in place and know the seriousness of external threats.

Companies usually try to patch every loophole and make every system impenetrable. But guess who knows more about these loopholes and ports of penetration than anyone? A company's own employees (or former employees). In reality, disgruntled, former or fired employees or even external service providers are the most likely culprits of a security breach--anyone with "insider information." It is for that very reason that four out of five IT-related crimes are committed from within an organization.

Internal threats might be someone who knows the weaknesses of the software being used or has the ability to introduce viruses into a system. Viruses can come from within simply by opening e-mail attachments. Some employees find it easy to gain access to restricted areas; this may include the possession of unauthorized passwords. If something is password-protected, chances are there is confidential information involved.

With all the home office workers, laptops are in frequent use. Many times the security prevention in a laptop is turned off when remotely connecting. This is another major internal vulnerability or internal threat.

So if 80 percent of IT crimes are internal, what should a company do about it?

1. Perform a security audit, or have one performed.

2. Unless the knowledge, experience and manpower exist in-house, consult an outside expert on audits, policies, and the subsequent security monitoring and prevention service.

3. Ensure adequate background checks on employees.

4. Establish a security policy, and enforce it. This includes implementing things like swipe cards, changing passwords often and restricting sensitive areas. This creates the right attitude toward information security in your company and clarifies the consequences of any found internal breach. A professional consulting firm specializing in policy development can save time and money and ensure an up-to-date policy.

5. Use firewalls. Firewalls protect against unauthorized logins usually from the outside world, preventing hackers from logging on to your network.

6. Use virus scanning software. Attachments to e-mails received and passed around are the biggest reason for the spread of viruses.

7. Implement ongoing managed services.