Managers be warned: A significant threat to the security of your data may be the very people you pay to keep your secrets safe.
That’s the message from a new survey that found more than a third of corporate information technology security professionals claim they have the ability to hold their organization’s data hostage.
Of the 500 information technology and data security staff who attended the recent Infosecurity Europe conference in London, 40 per cent boasted that they would find it easy to use their knowledge of encryption keys, shared passwords and loopholes in data security programs to walk off with any information they wanted.
And, because they know the systems and could take encryption keys and authorization codes, 31 per cent said they were sure they could hack in remotely and snoop, secretly alter files or shut down the data system, even if they no longer worked for the company.
“For many organizations, the greatest threat to data may actually be internal,” said Gregory Webb, director of marketing for Utah-based encryption services company Venafi Inc., which conducted the poll. Several Canadian data managers were included in the survey.
A separate poll in April by Verizon Security Business Solutions estimated that insiders account for 17 per cent of corporate data-hacking incidents.
Inside jobs can be costlier and more damaging because employees who compromise databases are often seeking to make a big score or get revenge, rather than just doing it to prove they can, which is a common motivation for amateur hackers, Mr. Webb said.
“A significant number of IT staff could cause chaos for their organizations with their knowledge of and access to digital certificates and encryption keys due to lack of management controls and no separation of duties,” Venafi’s research concluded.
The largest example is WikiLeaks, in which insiders in the U.S. government released thousands of supposedly secure and encrypted secret documents to an outside organization that made them public, Mr. Webb said.
While not an inside job, a series of hacks of Sony Ericsson databases in several countries over the past month highlights the threat posed by weak data security, Mr. Webb said. Last week, Sony Ericsson Canada’s eShop for phones and accessories was hacked, potentially exposing the names, e-mail addresses and passwords of about 2,000 users.
The hackers bragged online about how simple it had been for someone acting alone to get into Sony’s supposedly secure sites.
“That’s why it is important to have multiple levels of control and to separate duties of security personnel. Ideally, there should be an automated system in which no one person holds the actual key,” Mr. Webb said. In that type of high security system, the keys to un-encrypt data are kept in a secure computer and can only be activated after authorization from several people, none of whom know the entire sequence.
“An automated system takes the human factor out of the loop. It’s like having a lock on the front door of your house but giving keys to the maid and your kids and their friends. It doesn’t matter how big the lock is if someone leaves the organization and still has a copy of the key,” he said.
Smaller firms should be just as diligent as large ones about reviewing their data protection systems, advised Chester Wisniewski, senior security adviser at Vancouver-based data protection company Sophos Canada. He couldn’t explain why the Sony system was apparently easily breached, but said they should have taken more precautions and regularly tested their sites’ vulnerability.
“The Sony incident is pointing out that whether an organization has 250,000 employees or 25, the playing field is the same. It could ruin your business and your reputation if you aren’t careful and take precautions.”
Most small companies outsource their security, but that doesn’t mean they can afford to cut corners, Mr. Wisniewski said. “My advice is to make sure that your contract spells out that they are to protect your data with the same practices and encryption that a big company would have.”
Higher security may not even cost that much more, Mr. Wisniewski said.
“You’ll be surprised how much you can get if you just ask. If you don’t ask, the contractor will most likely do the minimum, which leaves you vulnerable.”
