All it takes is one employee to unknowingly compromise a network’s hard outer shell.
And when that happens, all other security measures could simply melt away, according to the founder of the Hacker Research Lab at Oshawa, Ont.-based University of Ontario Institute of Technology (UOIT).
“The reality is many businesses are operating under a false sense of security,” said Clemens Martin, who is also director of IT Programs at UOIT. “All too often we see corporate networks that become compromised by an ‘igloo effect’ of sorts.”
The good news is many corporate executives are becoming increasingly aware of this risk.
Most business leaders polled as part of a recent Fusepoint/Sun Microsystems/Leger Marketing survey stated that the greatest threat to their data security was not likely to come from a malicious external attack, but rather from the hands of an uninformed employee.
Martin also believes the private and public sectors have similar security concerns.
He said in both sectors the infrastructure used is similar, and malicious attackers are keen to infiltrate both.
There is a common interest in the “bad guy community” to get inside networks in both sectors, and attacks designed to fool uninformed or undereducated employees and public servants are becoming more sophisticated, according to Martin.
Depending on an individual’s e-mail settings, and security products in use, an e-mail may just have to be clicked on – without any attachments whatsoever being opened – for the attacker to get in, he said.
“If you look at HTML-formatted e-mails, just like a Web page, there can be embedded code that can download,” Martin said. “There is a risk, but there is also protection.”
Martin pointed to products from Cupertino, Calif.-based Symantec, but also noted that security software and conventional insurance are two different things.
“You can buy an insurance policy for almost anything,” Martin said. “But you can’t buy insurance to hedge against IT security risks because the problems are not understood as well as earthquakes or fires or car theft. Those (problems) have been well studied over years and years.”
Most IT security problems are studied in computer science departments, he said.
