In this series, Computerworld Australia examines some of the information security threats facing small business and larger enterprises today. We begin by speaking to experts about the problem of ‘internal negligence’ and company processes that can put businesses at risk of a data breach.
Internal negligence, according to Quest Software, can be defined as an offence committed by staff members, such as forgetting to check log reports for suspicious behaviour, that leads to company documents or financial information being leaked out of the enterprise.
However, negligence can occur in simple ways such as the result of losing a USB stick containing company information. For example, security vendor, Sophos, purchased three bags of lost USB sticks at a Rail Corporation auction in Sydney, Australia, last year. The recovered files included images, documents, source code, audio files, video files, XML files and AutoCAD drawings.
The threat of internal negligence
In an age where information and data are the lifeblood of any organisation, data loss as a result of internal negligence is one of the most prominent issues keeping IT security executives up late at night, according to IDC Australia senior market analyst, Vern Hue.
“The extent of data loss goes beyond the obvious loss of valuable and sensitive information, making data protection both a business and technological concern,” he says.
Internal negligence which leads to data loss can affect a company’s bottom line, as the remediation exercise is often very costly and time consuming.
“What is most worrisome is the loss of brand value and brand equity due to the loss in confidence by the different stakeholders,” he says. Brands can have their reputations tarnished and years of painstaking efforts in branding and goodwill undone due to internal negligence.
“Some organisations just cannot rise again after such an impact,” Hue warns.
Pure Hacking chief technology officer, Ty Miller, says internal negligence arises for a number of reasons. This includes minimal or no IT security budget allocation, a lack of resources dedicated to IT security, missing security policies and procedures to ensure a baseline level of security, and a lack of security training for employees.
“This type of negligence leads to the introduction of countless risks within the internal corporate network, systems and operations,” he says.
For example, a minimal IT security budget means that security systems are not put in place to detect and protect vulnerabilities from being exploited by rogue users and savvy remote attackers.
“If an organisation doesn’t have the skills and resources dedicated to IT security then the governance policies, processes and procedures will not be created,” Miller says. “These act as a security guideline to secure the organisation from attacks. If these are not in place then security breaches are certain to occur and audit trails will not be in place to ensure a digital forensic investigation can be carried out.”
Security training would provide all employees with the knowledge that they need to perform their jobs in a secure manner, as well as act appropriately when a potential attack is detected.
“Employees who have not undergone security training are likely to either become an entry point for the organisation becoming compromised, or even introduce vulnerabilities into the organisation by not proactively protecting against attacks,” he says.
Extent of the threat
If employees were unaware of internet security protocols within their business, they could be damaging the business from the inside, according to Symantec security and compliance director, Sean Kopelke. According to the vendor’s 2011 Cost of a Data Breach survey, 32 percent of data breaches from Australian companies spawned from individual negligence and the average data breach has amounts to $2.16 million per breach.
“Not only is $2 million a significant amount to take away from company profits, but the news of data being stolen will be damaging in the long run as reputations can be ruined and existing customers might be looking to move due to lack of security of personal data,” Kopelke says.
A data breach resulting from internal negligence could prove to be very expensive and this was not often in the budget for many organisations, warns Pure Hacking’s Miller.
These costs, which could reach millions of dollars, include paying for a digital forensic investigation to identify what systems and data have become compromised, implementing mitigation controls to prevent the attack from occurring again and resources to restore the integrity of the data with the systems.
In addition, the company would need to rebuilding systems from scratch to ensure backdoors and rootkits were not present on the systems, followed by a major investment in developing and implementing a strong security program.
“Security breaches cause major financial and reputational damage, and depending upon the size of the organisation can force them into bankruptcy,” Miller adds.
Addressing internal negligence
McAfee Asia Pacific vice president, Michael Sentonas, says the best way to prevent data loss by negligence was to give staff the lowest level of access to systems and resources they require to do their job.
“The more information staff have access to, the more chance there is that the information will be lost or mishandled,” he says. According to IDC’s Hue, most organisations architect their data loss architecture to face outward, at the perimeter of the network — leaving the inside of the network relatively free of any security protocol.
“Organisations now have to keep pace with the growing complexities of their data as the increasing collaborative nature of how organisations operate is changing how data is being used and generated,” he says.
This collaboration did not just include internal staff but partners, customers and regulators. “Organisations need to ensure that the right processes, governance and technology are in place to meet these needs,” he says. These processes include a complete view of the security environment, and security stack including network perimeter security, anti-virus, encryption tools, and data loss prevention (DLP) offerings to add an additional layer of advanced data monitoring system of the movement and storage of information.
“By proper classification, qualification and tagging of data, organisations can then monitor and mitigate the loss of data,” Hue says.
Another way to address internal negligence was to minimise the access of sensitive data to only a selected group of individual. In addition, he advised that some organisations divide up responsibilities, so people did not have the access to all the information at hand to make disastrous negligence.
“Most importantly, employees need to understand that rules and guidelines are there, and enforced, for this specific reason and they need to be made aware of the consequences of what their actions may lead to,” he says.