| |
Submitted by Barrie Parker, Louisiana Workers' Compensation Corporation
For years, protection of a company's data has been primarily focused upon dealing with external threats – viruses, Trojan horses, worms, hackers, etc. The sad reality, however, is that more security breaches are caused from internal sources than from outside the network's firewall. Plus, with the proliferation of devices that can store large amounts of data in a very small physical space (i.e. cell phones, iPods, external hard drives, thumbnail drives, memory sticks, smart media cards, compact flash cards, etc.), the problem of data security becomes even greater.
External devices that connect to today's computers via USB or FireWire connections can store as much as 80 GB of data and can easily upload data-corrupting code into the corporate network by a disgruntled employee. An additional danger is that large amounts of corporate information can simply walk out the door via one of these devices.
What can be done about these dangers? Well, a 2004 report by the Gartner Group ("How to Tackle the Threat from Portable Storage Devices," by analyst Ruggero Contu) suggested banning all iPods and other portable storage devices from entering the workplace as the risk to enterprise data is significant. The report also went on to suggest that companies should consider a "desktop lockdown policy" that disables universal plug and play functions to permit the use of only authorized devices.
However, perhaps the most important, often-overlooked aspect of protecting data does not involve technology solutions: employee awareness.
|
|
While Gartner's view may be considered somewhat draconian and unpractical, there are other approaches that have merit. Technical approaches include using personal firewalls and technology products to limit what can be done via USB ports, and employing enterprise-wide data encryption. For companies that want to seriously protect intellectual property, digital rights technology should be used, which limits the amount and type of data employees can download.
However, perhaps the most important, often-overlooked aspect of protecting data does not involve technology solutions: employee awareness. Employee awareness begins with setting a clear and firm computer usage policy within the company that spells out to employees what is acceptable and what is not. Every employee should sign the policy annually, and ongoing education regarding security awareness needs to occur throughout the organization.
One important facet of security awareness is the concept of "social engineering." Social engineering is a term that describes the human side of computer security. Social Engineering techniques involve tricking authorized employees, by relying on the helpful nature of people in general, to provide information that will compromise network and computer security. Security firms are often employed to use social engineering techniques to test organizations to see whether people understand the value of information that they possess and what it takes to protect it. Social Engineering techniques have revealed situations where employees provide their passwords to strangers with minimal effort. Appealing to human emotions, vanity and customer service motivations, social engineers have been allowed to walk through high security into building facilities and achieve access to critical systems.
Security experts propose that as our culture becomes more dependent on information and more devices allow greater access to data, social engineering and internal access will remain the greatest threat to any security system. Prevention includes educating people about the value of corporate information and training them to protect it.
|
