Your biggest security threat? Your people

An employee uses business credentials to shop online. Another clicks on a link in an e-mail message from a complete stranger. A systems admin goes to a forum for help with a problem and gives detailed hardware, software, network and configuration information.

The exploits, payloads and motives may change, but the single biggest security threat to the enterprise is still its employees.

“Every one of you is owned, I absolutely promise you,” Kris Lovejoy, vice-president of IT risk with IBM Corp., told an audience of security professionals at SC Congress in Toronto on Wednesday.


And with companies putting more data and applications into cloud infrastructures – wherein development and administrative rights are sometimes given to employees who aren’t in the IT department – the time-to-ownership window is getting smaller. Lovejoy’s estimate of spin-up to compromise is about 15 minutes.

Often, “it’s really hygiene that’s the problem,” she says – developers disabling antivirus to compile faster, not changing passwords, leaving default services open.

Lovejoy breaks down security threat into four categories: inadvertant breaches by employees constitute about 60 per cent; unsophisticated, opportunistic attacks make up 20 per cent; and hacktivists and “advance persistent threats,” or APTs, each contribute less than 10 per cent to the threat landscape.

Hacktivist collectives like Anonymous are on the more sophisticated end of the scale, and are a widespread threat. “There’s no end to the reasons that people get mad at you, “ Lovejoy says. But it’s the APTs – organized criminals, terrorists, mercenaries and, speculation has it, national interests – that worry Lovejoy.

“They’re getting real estate on our systems and leaving logic bombs,” she says. “How are they getting in? Through our people.”

A typical targetted attack goes something like this: An attacker searches LinkedIn for a systems administrator at a particular company. Profiles and activity on social networks will reveal preferences, trusted contacts, recent industry activity, and common online destinations. That’.s enough information to spear-phish for access information by posing as a trusted source, infect a third-party Web site to compromise a visiting machine, or guess passwords.

It can be difficult to detect, says Lovejoy, because the exploit could stay inactive for months before installing a keystroke logger, downloading command and control software, leaving logic bombs that will disrupt the system at a later date, or stealing data.

In a later session on risk management through situational awareness, Winn Schwartau, security guru and founder of mobile security company Mobile Application Development Partners LLC and The Security Awareness Co., the focus returned to the human element. Not many companies are dealing with it well, he said.

What are employees saying online that has security implications for the company? Is there a company policy regarding what employees can say in forums and social networks? Can employees use their company credentials, or do they have to use their personal accounts?>

“I’ve seen it occur at the C-level. They’re completely clueless” about the security implications of what they’re divulging online, Schwartau said.

Companies should also be monitoring what’s being said about them online by outsiders, too. If there’s a lot of traffic about you in Eastern Europe, for example, “does that present a road to a potential attack?” he asked.

While how much monitoring of your employees is politically acceptable varies from organization to organization, Schwartau said that simply doesn’t apply to Internet activity. In that case, it’s not an invasion of privacy.

“If it’s on YouTube, it’s not private, it’s public. If it’s on Facebook, it’s public,” he said. Screening employees’ social network profiles helps answer the question, “Does this person make good decisions or not?”

Robert Parnham, director of the information security practice at Marlabs Inc, agreed. If employees are using a company profile, it’s the company’s responsibility. “There’s a need to do due diligence in your hiring,” Parnham said.

Schwartau calls himself a big fan of profiling employees and potential hires.

“I want to know if, as an employee, you’re going to screw me,” he said. But for vetting new hires, he recommends someone who’s trained in “deception detection,” the ability to gauge physiological responses questioning (think Tim Roth in the TV series Lie to Me).

But even those companies that do profile their employees often forget to re-vet the employee periodically, Schwartau said. Financial situations, personal situations and domestic situations change. “People’s lives change,” Schwartau said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now