In-Depth
Top 10 Employee Security Gaps to Plug Right Now
If it seems that companies aren't learning anything from the front-page security mistakes of competitors, take heart: Consultants and security experts are. Based on their experience and observations, here are 10 security gaps the experts have observed over and over, along with advice for addressing them.
- By Linda Briggs
- 10/16/2007
If there's good news about the often-abysmal state of information security at most companies, perhaps it's this: We're all making the same mistakes, and we're making them over and over again. "When I go into an organization, I don't care what size or type… I will generally find [the same] five general overall problems" with employees and security, according to Chris Apgar, a CISSP and president of Apgar and Associates, a compliance and information privacy consulting firm that focuses on the health care and financial sectors. Those five areas: Training, policies and procedures, disaster recovery and business continuity planning, audits, and risk analysis.
Here are suggestions from Apgar and two other security experts on addressing some of the most common employee security problems they see.
1. Review policies and procedures
It sounds basic, but when it comes to security policies and procedures, Apgar is brutally blunt in summing up what he sees out there: "They are generally incomplete, inaccurate, not enforceable, and not reviewed periodically." Good policies and procedures go hand-in-hand with training, since one depends on the other. In general, security policies and procedures should be looked at yearly—more often if a significant change occurs in the company.
The reverse is also true: some companies are handling security exactly as they should be, but the procedures themselves aren't well-documented. Poor or missing written procedures can be a red flag for external auditors of all stripes, Apgar points out. "Auditors love documentation; they're going to ask for it," he says. "The quality of your documentation is going to govern how long that auditor sticks around." Whether true or not, good documentation signals to auditors that a company is doing the right things around security.
2. Define your trusted insiders
If your company is like most, you need to realign your thinking around the term "employee." With firms opening up to more and more third-party access via outsourcing, partnerships and other arrangements, you're expanding your perimeters, often unthinkingly. Sometimes that sort of quasi-insider access is thought through and locked down; sometimes it isn't.
"Many times, networks are set up in such a way that those people have the same access as regular employees," according to Michael Gavin, security strategist at Security Innovation, a company that provides application security and risk assessment, risk mitigation and training services. "Before you decide that someone is a trusted partner," Gavin says, "put controls in place to limit their access."
As an extension to that, make sure your next threat assessment includes a broad look at exactly who has access to what parts of the company, who defines and controls that access, and evaluating what level of risk that introduces.
3. Crack down on physical security
It's been said plenty before, but it evidently bears repeating, since laptops continue to be lost or stolen apace. Take yet another hard look at whether your company could be a very public victim of a physical theft of a laptop, or of backup tapes or a memory stick mysteriously gone missing, or one of the myriad other ways that huge batches of customer data have disappeared lately.
Like so many employee security issues, it's an education issue in great part, so make a vow to step up employee training that focuses on this particular issue. And don't forget those trusted outsiders mentioned earlier; they need training as well, either by you or by their employer. IT also needs to do its part by properly encrypting data and limiting worker access to it, but there's plenty of work to go around here, and educating employees is crucial.
It's not just laptops, but any mobile device, since more and more can carry significant amounts of data these days. Also, Gavin says he's seen cases where corporate access policies are less stringent when it comes to network access via mobile devices. That might be because higher-ups are often the users of those devices, and it can be hard to say no to the CFO. Again, take a hard look at your policies: Are they up to date and do they delve into enough detail in terms of the latest devices? At your next risk assessment, ask whether the convenience of C-level access is worth the risk.
4. Plug the browser gap
Malware. Viruses. Root kits. Key loggers. It's all bad, and it's all out there waiting for an employee inadvertently running amuck on the Internet. (Root kits take over the operating system; key loggers record and report back on a user's keystrokes.)
By running ActiveX controls and other executables, Gavin says, users can pick up all sorts of malware. The best defense: companies can blacklist known bad sites, using software designed for that purpose. Or whitelist sites, allowing employees to use their work systems only on allowed sites. In either case, the product should have a client agent, so that if users aren't on the corporate network but are elsewhere on a company laptop, they're still protected.
5. Watch the Web surfing
Although big firms get most of the media attention when a breach occurs, small companies face at least as many challenges in keeping employees in line and out of trouble. MIS Alliance is an IT solution provider that focuses on small and mid-size companies. In companies with a few hundred employees or less, according to VP of IT Brad Dinerman, the biggest problems come from the Internet. Despite warnings, Dinerman says, employees "continue to go to the Web and download whatever is of interest to them at the moment." That might be a freeware screen saver, a new toolbar, or a piece of pornography. Any download, of course, can carry a variety of malware along with it.
6. Push password rules
Another problem Dinerman sees regularly: A failure by employees to change passwords regularly, and when they do change them, to choose appropriately complex words. Company training to address both Web surfing and poor password policies should include pointed, direct information about how a security breech affects the entire company. After all, at a small company, a single training session might need to reach an audience ranging from the office manager to the night guy in shipping who just wants to surf the Web when things are slow.
7. Create an "acceptable use" policy
Another good tool for reining in employees: Dinerman highly recommends that employees be asked to sign an "acceptable use" policy. "Those are important; we make all of our employees here sign one," he says. The document basically functions as a stern warning, in which employees agree that, for example, anything they do on a company computer is legally discoverable; that the company can repossess computers at any time, and that employees won't conduct personal business using the company email system. Basic rules, but putting them in writing helps to show employees that you're serious.
Because new security challenges arise regularly, Dinerman also suggests that IT staff at small companies, who often wear many hats, consider joining a security organization for networking and information-sharing, and for sample documents such as an acceptable use policy. He formed such a group five years ago, the National Information Security Group, which meets monthly in Boston to discuss security issues. Its technical tips mailing list is free, as are meetings; sign up at http://www.naisg.org.
8. Monitor phishing threats
One reason for regularly repeating employee security training is the constant stream of new and fresh ways attackers come up with to elicit information from the unwary. Spear phishing is a clever term for phishing taken to another level by targeting a specific set of users about which attackers have some piece of information. The attack might look like it's coming from HR, or from a friend. Those tactics can make the phishing e-mail seem very real—it might address a user by name, reference a specific account, include an address, and so forth. That boosts the success rate of such attacks, Gavin says, and can also help such email fly under the radar of spam software and other perimeter defenses.
Again, users need to be warned regularly through very immediate examples of the sort of threat this poses, and reminded again to never ever respond to email requests for personal information, and to never click through on email links requesting that information. Also, Gavin says, the latest round of browsers have some anti-phishing capabilities, by which they can sometimes identify a suspicious Web site and which are updated regularly with known phishing sites. Those may not work for spear-phishing, though, so be aware. IT administrators can join the Anti-Phishing Working Group, or APWG for more information.
9. Watch your wireless network
The proliferation of wireless has created a whole new set of issues, among them the ability of an ordinary employee to create an onsite wireless access point, or WAP, on the company's wireless network. The problem with that, according to Security Innovation's Gavin: "If you set up a WAP and are not authorized to do that, you're managing it yourself." For that reason, it's much more likely to be successfully broken into. "They have to be taught that they need to be willing to let it be managed by someone else," Gavin says.
Again, the best remedy here is increasing employee awareness. Although such rules are seldom popular, make it known that rogue devices are a security breach, and users who want to set up a laptop as a wireless access point need to understand the ramifications, and talk with IT first.
Another strategy to control unauthorized wireless access points, Gavin says: "Do what the attackers are going to do. Occasionally walk around and look for things. Put together the old Pringles can and go 'war driving' in your own environment. I really don't know a better solution than to occasionally do that." (The Pringles can reference is to a much-discussed method of building a wireless antennae device on the cheap.)
10. Train, train, and train some more
If there's a common thread the experts all agree on in addressing each of these issues, it's the importance of education and training. Poor training and unaware employees lie at the root of many if not most employee security breaches. All three of the interviewed security experts emphasized one point: Use real-life examples from today's headlines to shake employees out of security complacency and to help make your points. Unfortunately, there's no lack of those stories into the foreseeable future.