bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

sponsorType

urlAlias

moreOnThisArticles

commentCount

authorLocations

authors

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Companies often forget basic principles, such as doing staff background checks

Given the speed at which they can disable a corporate network, it is not surprising that viruses, worms and hackers continue to receive a large share of media attention and IT department resources.

However, as companies beef up their perimeter network security to repel these outside intruders, they often neglect to take into account the human element - either the greed or foolishness of employees who can pose a threat to businesses from the inside.

A phishing scam, for example, is basically a technology threat, but one that owes its effectiveness to  human or social weakness.

FBI Infragard co-ordinator and IT investigation consultant Erik Laykin  said companies should adopt a similar evolution with their IT and security policies.

'Never underestimate the human touch,' the director of California-based Navigant Consulting  said  while in Hong Kong last week.

'IT does not exist in a vacuum, and if companies deal with it as an isolated programme it will lead to security breakdowns in areas where the IT policy doesn't cover ... Security doesn't begin and end with information technology.'

Mr Laykin said that while most companies were aware of the potential threat from external hackers, many  were underprepared for potential  risks  on the inside, from vulnerabilities in their business processes or from corporate spies.

'These guys usually have smiley faces and sit in the cubicle next to you, but all the time they are selling information to rival firms,' he said.

Whereas external hackers often have to break through layers of security, internal abuse is usually simplified by a lack of checks in place. A survey conducted by the United States Secret Service between 1996 and 2002 found that 87 per cent of cases of internal security breaches required no special computing skills and were carried out using normal user commands and applications.

Mr Laykin said businesses  were facing a 'control conundrum', with top-down control gradually eroded by the individual empowerment increases afforded by computers and the internet.

'The real risk to companies comes from a trusted employee or contract worker, who has access to the system but who then uses that access nefariously,' Mr Laykin said.

In other words, in the rush to secure expensive networks companies have forgotten basic principles such as performing background checks on new employees.

The principle is especially important in places  such as the mainland, where a recent Economist study revealed that more money is lost through breach of contract among partners and 'grey area' sales than counterfeiting.

'Background checks are tough to do in a place like China,' he said.

'If I have to spend US$10,000 to do background checks on my new plant manager, then so be it. Better that than losing millions of dollars of intellectual property by letting a rat into the factory.'

Focus Network Security managing director Frank Yam put it even more succinctly: 'Garbage in, garbage out.'



Biggest risk to a firm's security is from inside