Go aheadpile on the passwords, the port policies and all the IT standards you like. But the weakest link in your network will probably still let you down. It is not a failed firewall or an outdated antivirus filter. It's neither hardware nor software. It's a wetware issue. All the controls in the world mean little if someone with network access makes a mistakeor worse, decides to tap into confidential information or wreak a little havoc.
That's because the weakest link in your company's security is humanyour employees pose the biggest possible threat by far to your corporate network.
Take the case of Heinrich Kieber. The 43-year-old computer technician was arrested and convicted in 2002 of stealing highly classified bank records of heavy hitters who had stashed their cash inside the tax-free confines of Lichtenstein's LGT Group bank. Kieber did not go straight to jail. Instead, he collected about €5 millionand a free pass into a witness protection programfor dishing the data to German authorities, helping them figure out which of their citizens' tax records might be worth a second look. Now, other authorities are lining up, presumably with chequebooks in hand, to get a glimpse of the other 1,400 names on the list (among them, apparently, 100 Canadians).
In June, a website posted a $7-million reward for news of his whereabouts. But for a twist of fate and tax laws, Kieber would have been just another white-collar convict. So is he a whistle-blowing hero, or
a dead man walking? It depends on your point of view. But the underlying reality is that, no matter how you protect your data, someone, somewhere will always have access to itusually for legitimate reasonsand that's where things can go horribly wrong.
Sheer nosiness, rather than financial gain, is another motivator. Consider the plight of the University of California at Los Angeles (UCLA) Medical Center. The haven for ailing celebs fired 13 workers and reprimanded a dozen others in March for snooping through Britney Spears's medical files during the pop princess's mental meltdown. During an internal investigation, the institution discovered that the files of other famous patients had routinely been accessed by unauthorized and non-medical personnel.
Medical facilities are particularly vulnerable, simply because they are repositories of so much personal data. And you don't have to be famous to be a target. The Ottawa Hospital suffered a breach in 2005, when a woman checked in with a chronic heart condition. She was in a custody battle with her ex-husband, who worked at the hospital along with his new girlfriend, a nurse. Concerned that they might try to access her medical files, the patient alerted staff. Too lateher ex's squeeze had already pored through her electronic files and used the information about her condition in the custody fight.
All the firewalls in the world likely wouldn't have protected the Ottawa Hospital. And that's something every company needs to remember: no matter how resistant your system, it all comes down to those with access using it wisely, in accordance with stated policies, and not inadvertently leaving the back door open for any Tom, Dick or Hacker to slip in unnoticed.
There's still a perception that digital files are more easily breached, but that's not necessarily the case. "With paper files, there was no way to know who looked at them and how many times," notes Kel Callahan, head of business development with HIPAAT, a data solutions provider for the health-care industry. Although digital files are more accessible and liquid by nature, they can also be safeguarded with layers of security, including audit trails.
Increasing numbers of health-care facilities are moving to a new approachlimited access managed by exceptions. This means that only those in the immediate inner circle of care have access to patient records, a practice that could soon bleed into the larger corporate world. It remains the best practice standard for all IT managers in all sectors, though there is a downside: It can be a nightmare to balance security and employees' need to work.
Besides, an attack often comes from the least expected place. Last January, an employee at Steven E. Hutchins Architects in Jacksonville, Florida, popped a circuit when she spotted a help-wanted listing in the weekend paper and became convinced it was a posting for her job. Thinking she was about to be fired, the woman opted for a pre-emptive strike. She drove to the office and began deleting seven years' worth
of work, including client files, drawings and other data worth about $2.5 million. The firm had no backup system, but it managed to recover most of the files. (The woman was arrested, and found out the ad wasn't for her job.)
Friendly-fire attacks can be the most painful breaches of all. A case in point: Andrew Rankin, who was a rising star and managing director of mergers and acquisitions with RBC Dominion Securities, until the Ontario Securities Commission (OSC) slapped him with an insider trading charge in 2001. His 2005 conviction was overturned on appeal, and last January the OSC and Rankin settled. He paid a $250,000 fine and admitted he had passed on insider information to his childhood friend, Daniel Duic, who then made several stock trades and netted $4.5 million in just over a year.
Part of the reason Rankin's conviction was overturned was because the judge had ignored part of his defence, which was that Duic exploited his friendship with Rankin and used his access to his pal's home to get into his computer and glean confidential information. The Court of Appeal held that it was not an unlikely scenario, given Duic's background in computer software, plus the fact that the documents were either on Rankin's computer or available over the company network. (Duic settled allegations of insider trading with the OSC in 2004, agreeing to pay back $1.9 million of his proceeds and testify against Rankin in exchange for avoiding a criminal trial.)
These days, we have biometric fingerprint readers, data encryption, encryption key technology and other measures to guard sensitive data. But they only stop unauthorized intruders, who have merely shifted gears in their neverending quest to steal data they can turn into cash. Marc Fossi, manager of system development for Symantec's security response team, says it's easy to overlook that the "bad guys" have also recognized their resources should be deployed in more lucrative areas. "They know that the user is the weakest link, and they have shifted away from hacking for disruption to hacking for financial gain, working with more organized criminal groups," he says.
Their prime access in such attacks is through the gateway provided by the average employee who may surf to the odd website, or send and receive personal e-mails on the corporate computer. The resulting spam and other attachments can open a company up to a plethora of problems, including malware implanted on corporate computers.
So do you restrict personal use of the Internet and risk ticking off your employees? "That's the security tightrope," says Fossi. "You always have to have that balance between security and usability. It's combination of software and policy. If you lock up everyone's computers, they can't do anything, and you lose productivity. And you can't just make them sign a user-policy agreement and then sit back and wait for them to violate it and pounce."
There's no magic-wand solution. It's a combination of the usual tools at the IT manager's disposalsoftware, hardware and policiesalong with ongoing outreach programs that gently but constantly remind employees that they, too, must be vigilant. "Quarterly sessions remind them of things to be on the lookout for, and how they can be secure both at home and in the office," says Fossi.
Paul Comessotti, the country manager for Check Point Canada, says it's easier and safer today to have a corporate policy that assumes the worst and makes rare exceptions given the size of the risk. "You really try and take the user out of the equation," says Comessotti. "You push policies down the wire to the PC that says, 'These are the programs that are authorized on this machine, and only these programs.' You block USB ports from things like iPods," he says. "And when they're using a home machine to access the company network, you limit what they can seee-mail, but no financial data, for example. And if the CFO needs access to corporate financial statement or wants to connect their iPod, you can make an exception for them."
While the hardware and software tools we use every day can hardly claim to be infallible, they can be controlled and forced to conform to corporate policies. Employeesthe imperfect wetwareare subject to errors, distractions and temptations, and are more difficult to manage. Until the new, improved, more technologically compatible human version 2.0 is released, we will always be the weakest link.