Go ahead—pile on the passwords, the port policies and all the IT standards you like. But the weakest link in your network will probably still let you down. It is not a failed firewall or an outdated antivirus filter. It's neither hardware nor software. It's a wetware issue. All the controls in the world mean little if someone with network access makes a mistake—or worse, decides to tap into confidential information or wreak a little havoc.
That's because the weakest link in your company's security is human—your employees pose the biggest possible threat by far to your corporate network.
Take the case of Heinrich Kieber. The 43-year-old computer technician was arrested and convicted in 2002 of stealing highly classified bank records of heavy hitters who had stashed their cash inside the tax-free confines of Lichtenstein's LGT Group bank. Kieber did not go straight to jail. Instead, he collected about €5 million—and a free pass into a witness protection program—for dishing the data to German authorities, helping them figure out which of their citizens' tax records might be worth a second look. Now, other authorities are lining up, presumably with chequebooks in hand, to get a glimpse of the other 1,400 names on the list (among them, apparently, 100 Canadians).
In June, a website posted a $7-million reward for news of his whereabouts. But for a twist of fate and tax laws, Kieber would have been just another white-collar convict. So is he a whistle-blowing hero, or
a dead man walking? It depends on your point of view. But the underlying reality is that, no matter how you protect your data, someone, somewhere will always have access to it—usually for legitimate reasons—and that's where things can go horribly wrong.
Sheer nosiness, rather than financial gain, is another motivator. Consider the plight of the University of California at Los Angeles (UCLA) Medical Center. The haven for ailing celebs fired 13 workers and reprimanded a dozen others in March for snooping through Britney Spears's medical files during the pop princess's mental meltdown. During an internal investigation, the institution discovered that the files of other famous patients had routinely been accessed by unauthorized and non-medical personnel.
Medical facilities are particularly vulnerable, simply because they are repositories of so much personal data. And you don't have to be famous to be a target. The Ottawa Hospital suffered a breach in 2005, when a woman checked in with a chronic heart condition. She was in a custody battle with her ex-husband, who worked at the hospital along with his new girlfriend, a nurse. Concerned that they might try to access her medical files, the patient alerted staff. Too late—her ex's squeeze had already pored through her electronic files and used the information about her condition in the custody fight.
All the firewalls in the world likely wouldn't have protected the Ottawa Hospital. And that's something every company needs to remember: no matter how resistant your system, it all comes down to those with access using it wisely, in accordance with stated policies, and not inadvertently leaving the back door open for any Tom, Dick or Hacker to slip in unnoticed.
There's still a perception that digital files are more easily breached, but that's not necessarily the case. "With paper files, there was no way to know who looked at them and how many times," notes Kel Callahan, head of business development with HIPAAT, a data solutions provider for the health-care industry. Although digital files are more accessible and liquid by nature, they can also be safeguarded with layers of security, including audit trails.
Increasing numbers of health-care facilities are moving to a new approach—limited access managed by exceptions. This means that only those in the immediate inner circle of care have access to patient records, a practice that could soon bleed into the larger corporate world. It remains the best practice standard for all IT managers in all sectors, though there is a downside: It can be a nightmare to balance security and employees' need to work.
Besides, an attack often comes from the least expected place. Last January, an employee at Steven E. Hutchins Architects in Jacksonville, Florida, popped a circuit when she spotted a help-wanted listing in the weekend paper and became convinced it was a posting for her job. Thinking she was about to be fired, the woman opted for a pre-emptive strike. She drove to the office and began deleting seven years' worth
of work, including client files, drawings and other data worth about $2.5 million. The firm had no backup system, but it managed to recover most of the files. (The woman was arrested, and found out the ad wasn't for her job.)
