Printer Friendly

Do you trust your employees?


KEEPING INFORMATION SECRET has always been a major challenge for governments and other large institutions, a challenge, that has traditionally given rise to ingenious and even drastic methods of protection. In ancient times, for instance, some Eastern tyrants were so obsessed with secrecy that they reportedly had the tongues of their own messengers removed after they had delivered sensitive information.

Obviously, that practice was extreme. Nevertheless, it underscores a timeless truth about information security--that is, an organization's own employees always have been, and probably always will be, the greatest single threat to its efforts to maintain secure and confidential data.

Yet, those very same employees also represent an organization's most valuable security asset. In fact, without the presence of a strong, security-minded work force, one well schooled in the principles and procedures of information protection, no company can ever hope to solve the problem of safeguarding its information from corruption, intrusion, sabotage, and theft. No matter how you look at it, the human factor is the most important element to consider when addressing information security.

In the last 10 years business has seen an explosion in the use of information technologies and in linking those systems into vast, integrated communications networks. At least three factors are responsible for this phenomenon:

* the availability of more affordable and efficient communications networks that can be readily accessed by large numbers of users--employees and outsiders alike

* the remarkable growth of the PC as a tool that more and more employees can use to retrieve information stored in networks and in host computers

* the increased application of data base management systems for storing important data, particularly the kind of data senior managers constantly rely on to make critical business decisions

Few would deny that these developments have bestowed tremendous blessings on business. Corporations that have mastered the complexities of information technology are often more efficient producers of high-quality goods and services, more skillfull in identifying market trends, and more effective in meeting the specialized needs of their customers. In a word, they are more competitive.

But there's a glaring blemish on this rosy picture. The more businesses rely on internal and external communications networks, install more widely accessible data banks and integrated systems, and put increasingly powerful computers into the hands of more employees, the more vulnerable those businesses inevitably become to unauthorized network intrusion and abuse.

Just how vulnerable are a corporation's information systems? Very vulnerable, considering that virtually any computer or data network is susceptible to unauthorized intrusion. All it takes to enter a system is one knowledgeable person with the desire or means to do any of the following:

* Open the door of a computer room.

* Dial into a computer network.

* Obtain access to a direct-wired terminal.

* Send an E-mail message.

* Supply or write a software program for a computer system.

* Perform a computer maintenance or repair service.

Once inside a system, an intruder can wreak havoc on information and the technology that controls it. For instance, the individual can do any of the following:

* Tamper with any service residing within the system.

* Interfere with the work of systems administrators and operators.

* Deny access to legitimate users.

* Add false information.

* Read, copy, or erase programs and data.

* Enter other computer systems.

* Change system instructions and protocols.

* Introduce disruptive programs and applications.

It only takes one resolute intruder to enter and corrupt a corporation's information network. But thousands of potential intruders are out there eager to seize the opportunity.

First of all, there are the hackers. We all know about them. They are often portrayed by the entertainment media as slightly comical types: young, painfully shy high school and university students, invariably male, who wear glasses, carry a dozen or more pens crammed into the front pocket of their shirts, and rarely enjoy a meaningful relationship beyond the one they already have with their computers. Nerds, in other words.

In reality, hackers are more harmful than their stereotyped image makes them out to be. Armed with only a simple PC and a modem, they can do a lot of damage to a company's information system, especially if they obtain the right passwords. For example, they can read and copy confidential information. And they can sometimes download important software.

Some of the damage done by hackers is even caused by computer viruses--those data-destroying or data-altering programs with exotic and menacing names like "Trojan house," "logic bomb," "Flying Dutchman," "worm," and so forth. These devices pose a real problem for information systems.

Far more threatening than hackers and viruses are attempts by rival companies to gain access to your information. Many of these companies don't need to use viruses to steal or alter your data. They have more sophisticated methods.

Take password breaking, for instance. Once an art practiced by a few zealous hackers, it has now become almost a science that many companies pursue rigorously.

Here are just a few of the ways passwords can be identified--a task that, potentially at least, has become a lot easier thanks to the proliferation of desktop PCs connected to local area networks (LANs) and other kinds of integrated networks. A competitor can find out your passwords by

* using a password-breaking program;

* tapping an employee's telephone line;

* "piggybacking" the password by dialing into a company's communications lines, then entering the information system by following a legitimate user who has gained password clearance;

* "Dumpster diving" in trash containers for hard-copy evidence of passwords;

* "shoulder surfing" by looking over someone's shoulder as he or she types in the password; and

* stealing a company phone book and typing various combinations of people's names, initials, addresses, and so forth to guess the password.

In addition to stealing passwords, companies can acquire information by using more traditional techniques of corporate espionage, several of which are perfectly legal, albeit unethical. Many of these techniques I like to call "vanity techniques" because they are based on the principle that people love to talk about themselves and their work. For example, some firms set up fake interviews with a competitor's employees. They have no intention of hiring these people. They simply want to pry as much information out of them as they can. Other companies hire workers from another corporation but only because those workers possess specialized knowledge about a certain technology or a specified business strategy being developed by a rival firm.

Social gatherings are also a valuable tool for collecting confidential information about a competitor's activities. Rival companies are not above having their representatives invite their colleagues from other firms out for dinner or drinks solely for the purpose of asking them veiled and flattering questions about their work. The same technique is sometimes practiced at technical conferences and professional gatherings. How often have you asked yourself, "Who was that person I chatted with for over an hour last night?"

Just about every espionage method I have cited so far has one trait in common. They all depend on the conscious or unconscious cooperation of your own people--the managers, researchers, production workers, clerks, and staff within your organization. That leads me to the third, and the greatest, information threat facing today's corporation--the employee.

Employees can breach security in two ways: on purpose or by accident. If they want to do it on purpose they have ample opportunity. Many employees, simbly by virtue of their status as employees, enjoy wider access to a company's information assets and information equipment than outsiders do, another example of the vulnerability of technology.

Employees, many of whom are sophisticated computer users, are better positioned to insert viruses into a system than hackers are. They're better equipped to steal passwords than any industrial spy. In fact, when it comes to leaking, copying, reading, stealing, altering, or destroying information, employees win hands down every time over external intruders.

Why would employees want to tamper deliberately with their employer's information? They do it out of greed, anger, frustration, or revenge. It's the greatest threat and the greatest challenge toward maintaining an information-secure workplace.

Take greed, for instance. My experience tells me that in the majority of cases greed is the cause of employee-perpetrated fraud.

In a computer-based environment, fraud commonly takes the form of what is called "data-diddling." Let's say an employee wants to pad his or her expense account. To do this, the individual introduces some bogus invoices and expense claims into the computerized records. It's done because the employee got greedly and wanted a little more money. But how do you prevent something like that? How do you police an emotion?

Or take anger and vengeance. An employee gets fired because of poor performance and decides to get back at the company. So the employee writes a "logic bomb" program designed to erase the company's payroll records the moment his or her name disappears from the payroll list. The employee doesn't write the virus out of fun or wanton vandalism, as a hacker might. The individual does it because he or she has lost control of a basic human emotion and allowed it to propel him or her into an illegal and destructive act.

The human factor also accounts for the greatest of all information threats to an organization--those hundreds of little unintentional lapses in security that employees commit daily through carelessness, ignorance, or gullibility. They're the seemingly harmless gestures that, if left unchecked, offer internal and external intruders alike their best opportunities for theft, tampering, and sabotage.

In terms of information security, un-intentional actions are the most difficult to regulate because they seem so innocuous and so natural. Who among us hasn't on occasion forgotten to lock a desk drawer or turn off a computer when leaving an office? Unlike intentionally writing a program to defraud an employer, which requires premeditated planning, these modest acts are performed automatically and are second nature. And that makes them incredibly tough to control. It's the human factor, once again.

Given all the problems a modern company must deal with to protect its information, what measures can be taken to mitigate or solve them? The obvious solution is, of course, technology. A number of good access control and information security products are available that companies would be foolish not to employ. These include silent answering devices, which foil automatic dialing programs trying to collect computer phone numbers; trapping techniques to catch network intruders; encryption algorithms that scramble electronic transmissions of confidential information; and tokens, which provide authorized users with a different password code each time they log onto their communications system.

But technology alone, no matter how sophisticated or complex, will never meet all of a company's information-security needs. It can't. And for one simple reason. No security technology is foolproof.

Numerous examples demonstrate technology's inability to solve every security problem. I'll relate just one. Recently, PC Magazine tested 11 different computer virus prevention programs (or vaccines) and found that none of them could stop a virus from infiltrating a network and damaging data. Indeed, eight of the vaccines were unable to detect the presence of the virus at all.

Something more is needed -- namely, a company-wide program that realistically and comprehensively incorporates the human factor into every aspect of security planning and security operations.

My company has developed such a system. Its success absolutely depends on two fundamental assumptions about people. First, employees are human and, therefore, subject to errors, foibles, and misdeeds. Secondly, employees are responsible and trustworthy individuals who, when properly motivated, will give security issues a high priority.

The security system contains four essential components:

* A senior management that is absolutely committed to the goal of total information security and willing to provide the leadership and example required to realize that goal.

* The formulation of a set of simple, effective information security controls and procedures that are communicated regularly to every company employee.

* The systematic monitoring of these procedures by company auditors to ensure that information security is maintained and that violations, when they occur, are quickly detected.

* The willingness to investigate all violations and the resolution to identify and punish violators of information security.

Let's start with the role of management. I believe information security is too important to be left in the hands of security officers alone. Senior managers, including the CEO, have to get involved in the security process -- and they've got to stay involved.

That commitment means senior management accepts responsibility for defining what kinds of security mechanisms to implement and how those mechanisms are to be organized. At my company, it's senior management, not the security staff, that decides that all diskettes must be locked away when not in use, that no employee can give his or her password to another or use another's, and that regular reporting relationships and periodic briefings must be set up between management and information security personnel.

Management involvement in the security process also means all of our company's managers, regardless of rank, are responsible for seeing that security procedures are followed and enforced. If an employee leaves a confidential report on his or her desk overnight, the manager is expected to put the report in a secure place and bring the matter to the employee's attention the very next day. When employees submit expense reports, their managers must report any financial irregularities and discrepancies. Finally, management-based security means the CEO and senior executives must be willing to commit whatever resources are necessary to support a first-class security system.

Of course, information security is not exclusively a management concern. It's also the concern of every employee in the company. My company takes great pains to motivate workers to adopt what I call a security mentality.

Security mentality is simply the by-product of a carefully planned program aimed at encouraging employees to recognize the need for information security and to voluntarily accept the security controls and procedures in place. The program has four elements: constant communication, constant reinforcement, audits, and investigations.

As for communication, employees are continually informed about current and new information security procedures through seminars, training sessions, and memos. Reinforcement also involves communication. It communicates security behavior and thus operates as an indispensable tool in developing a security consciousness throughout the work force. All employees, for example, must present briefcases, handbags, athletic bags, and so forth for inspection on entering or leaving a company building. They must also wear color-coded ID badges, which signify their assigned levels of security clearance and security access. In addition, many doors are controlled by card and key mechanisms. That means any time an employee wants to open one of these doors, he or she must go through a procedure that's intentionally time-consuming.

Employees go through these procedures thousands of times a year. In the process, they are continually reminded that they are working in an environment where security matters and is taken seriously. As a result, many of them begin to accept -- almost unconsciously -- the need for information controls and the values those controls represent. In other words, they adopt a security mentality.

As for the security controls themselves, they must be kept simple. The great dilemma for security professionals is that the more protective controls a system has the less easy and friendly that system becomes for users. In the end, if too many controls are imposed or they are too complex, busy employees will simply ignore or find ways to circumvent them. When it comes to information security controls and their effect on employee productivity, less is sometimes more.

My company's security program -- especially its efforts to build a security attitude among employees -- has implied that workers can be trustworthy and responsible contributors to the security process. And indeed, the vast majority are. But there's another side to human nature, which necessitates the third component in a successful corporate security program -- company auditors.

The presence of auditors is essential if companies hope to maintain the integrity and confidentiality of their information. It's been my sad experience to observe that a lot of employees are only as honest as the system dictates they be. And in my experience, auditing -- and theknowledge that they are being audited -- is what keeps many employees honest.

When I talk about auditing, I mean procedural audits, the kind of formal monitoring that systematically evaluates the effectiveness of security controls and notifies management when those controls are violated. I do not mean functional audits. Functional audits tend to question business decisions. In my view, there's no place for that kind of auditing in security.

Procedural auditors perform several crucial functions in maintaining information security. First, they are a potent deterrent to information abuse. The mere fact that employees know their system activities are being zealously and continuously monitored significantly reduces the incidence of computer fraud and information tampering.

Secondly, auditors monitor the effectiveness of the entire information security system. They check lists of users who have tried to log onto the system, identify those who log-on attempts were denied, and note why they were denied. They also assemble data on uncommonly long periods of legitimate system use and access attempts from unauthorized locations. Should a pattern of abuse emerge, they report their findings to security and management and recommend ways to guarantee it won't happen again. Finally, the activities and reports of auditors are critical in helping catch and punish system abusers. That process leads to the final component of my company's security program -- investigations.

We seldom interrogate employees we suspect of abusing our information. Instead, we concentrate our energies on putting together a solid body of evidence that proves the suspect's guilt or innocence beyond a doubt. The consequences for an employee who tampers with, steals, or destroys information are grave. Almost invariably the result is termination of employment and even legal prosecution. Naturally, we want to be sure we have a strong case before taking such serious action.

Our investigation do not, however, end with the identification and punishment of the wrongdoer. We want to know, for instance, whether the guilty party acted alone or with others, whether outsiders were involved, and how long the security violation existed before it was detected.

We also want to know why management was unable to anticipate or control the problem. After all, management is just as responsible for security as everyone else.

Finally, and most important, we want to determine what weakness in our information security system allowed the abuse to happen and continue and why our normal audit procedures didn't identify the problem immediately.

Only when we have answered all these questions satisfactorily do we consider an investigation closed. We follow this lengthy and thorough procedure for every information abuse case we encounter.

In building the corporate culture I have just described, both sides of the human factor had to be taken into account -- the good and the bad, the responsible and the dishonest, the conscientious and the careless, the experienced and the naive. It's sometimes hard for security professionals to keep these polarities in balance, especially since they deal primarily with the negative aspects of human behavior -- theft, sabotage, deceit, gullibility, and indifference. It would be easy to adopt a jaundiced view of humanity.

Yet, trust plays a vital role in the whole security equation. Yes, security technology is important. Yes, controls and procedures are absolutely essential in protecting information. But ultimately, if a company cannot trust its employees -- and if those employees themselves don't feel they are trusted -- all the machines and rules in the world won't amount to much. Trust is the most important human factor of all.

Norman W. Luker, CPP, is director of security for Northern Telecom Ltd. in Islington, Canada. He is a member of ASIS.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:protecting corporate information
Author:Luker, Norman W.
Publication:Security Management
Date:Sep 1, 1990
Previous Article:Trump Taj Mahal: high stakes security.
Next Article:The roar over animal rights.

Related Articles
The lands nobody knows.
An inside job.
Utah statute imposing personal liability on corporate employees for unpaid corporate franchise taxes.
The trusted leader. (Leading the Pack).
Quick 'cash-outs' fall from favor: survey.
Protecting your finances: why you need a compliance program for your business.
Safeguarding corporate secrets: after three insiders are accused of stealing its trade secrets, Coca-Cola vowed to better protect its data. Don't...

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters