[ISN] The enemy within the firewall

InfoSec News isn at c4i.org
Tue Mar 14 03:13:04 EST 2006


http://www.theage.com.au/news/breaking/the-enemy-within-the-firewall/2006/03/13/1142098393208.html

By Louisa Hearn
March 14, 2006

Employees are now regarded as a greater danger to workplace cyber
security than the gangs of hackers and virus writers launching
targeted attacks from outside the firewall.

That is the perception of 75 per cent of Australian information
technology managers who took part in an international IBM security
survey.

With email and instant messaging proving increasingly popular and
devices such as laptop computers, mobile phones and USB storage
devices more commonplace in the office, the opportunities for
workplace crime are growing.

"People are becoming the weakest link. A fluid work force with
diminished loyalty to organisations is being exacerbated by the fact
that people do not always realise the value of information that they
deal with," said Claudia Warwar, managing consultant at IBM BCS
Security and Privacy Practice.

Ms Warwar believes that the rise in internal security attacks has come
about because outside criminal gangs realise that recruiting or
tricking employees to hand over insider knowledge is less expensive
and traceable than other forms of cybercrime.

And it seems the perception of this phenomenon is even worse in
Australia than elsewhere in the world, with 11 per cent more
respondents here identifying internal staff as their greatest threat.

Ms Warwar explained that one reason for this could be that in a larger
country, where you might normally have ten staff working in team, here
you might only have one, granting closer access to important
information. "Employees here get to see more of the big picture and
are closer to the whole business loop," she said.

But in spite of the threat, companies still allocate more of their
security budgets to external threats.

While 32 per cent of survey respondents were intent on upgrading
firewalls, only 15 per cent planned to invest in awareness and
education training for employees and only 10 per cent restricted the
use of mobile devices such as wireless handheld computers not
specifically sanctioned by the IT staff.

"Organisations need to understand what are the key pieces of
information that need to be protected and be able to track who has had
access to them," she said.

Looking more broadly at the issue of cyber crime, the survey also
found that regardless of who had caused it, 49 per cent of local
businesses believed it represented a larger threat than physical
crime.

The three most common types of cyber crimes are hacking, denial of
service attacks, and viruses and malware, which target different types
of organisations.

"One of our clients had a virus bouncing around network for quite a
few days which did quite a bit of damage, whereas a denial of service
attack is more likely to target those transacting and doing a lot of
business online. If a hacker really knows where they are going within
say a large financial company then they can also really hit the
jackpot," said Ms Warwar.

A recent security report from antivirus company Symantec said
cybercrime represented today's greatest threat to consumers' digital
lifestyle and to online businesses in general.

"While past attacks were designed to destroy data, today's attacks are
increasingly designed to silently steal data for profit without doing
noticeable damage that would alert a user to its presence," the
company said.





More information about the ISN mailing list