Print
Discuss
Send to friend
RSS feedsEach week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week Dave Martin, principal security consultant at LogicaCMG, highlights the perils of a little too much Christmas cheer.
Yes, the season of joy and goodwill to all men is upon us again and the time has come to relax a little and soak up the festive cheer. Yet how far does this headlong descent into all things merry affect the companies we work for?
One of the main reasons we have to be careful not to take our eye off the ball, as research reveals, is that the biggest known threat to a company's security is its employees, and especially so at Christmas. Up to 80 per cent of breaches are caused by employees, so security is not just an IT issue it's a personnel issue.
It's possible to draw a degree of correlation between increased fraud and the Christmas period. Crime is a function of motive, means and opportunity and that opportunity can increase dramatically over Christmas.
The moment people's guards are down, offices are left empty and unattended for lunches, drinks, parties and the holidays, the window of opportunity grows considerably and the chance of individuals committing criminal acts increases.
Companies trustingly give their employees passwords, access to the network and therefore access to confidential information. Computers, local area networks and the internet have made the stealing of data incredibly easy.
An employee can copy vast amounts of corporate information onto a USB memory stick or CDRom in seconds. And how much more difficult is it to monitor this kind of crime if careless Christmas carousers decorate the office with giant baubles, streamers and party poppers which obscure the view of CCTV cameras?
It's also much more difficult to monitor staff throughout the Christmas period. With employees being in and out of the office more frequently, it's difficult to keep up with who should be there and who shouldn't.
Over Christmas, the outcome of a security breach can quickly develop from an IT issue such as clogging the network with junk email and e-cards, to a human resources and/or board level issue.
This could involve a soon-to-be-ex employee pinching confidential client information that will be useful in that new role at a competitor in the New Year, or someone being a little more carefree with their December expenses claim on receiving a smaller Christmas bonus than they think they deserve.
As well as intentional theft, employees can also be careless. A little too much Christmas cheer tends to loosen tongues, raise spirits and blur the edge of professionalism. Accessing inappropriate websites or forwarding emails and sensitive data to the wrong people can leave careers in tatters and corporates red-faced.
Another frequent problem is employees discussing a client's business loudly on a busy commuter train, or working on next year's sensitive marketing plans on a laptop in public.
With a number of high profile security embarrassments made public over the past few years, companies are throwing money at the IT department to invest in firewalls, intrusion detection systems, passwords and encryption. But companies don't seem to be looking at the bigger picture.
A recent survey showed that 71 per cent of companies devolve responsibility for managing and implementing the security policy to the IT department. But should it really be the responsibility of the IT department?
As it appears that people, rather than systems, are a bigger threat to security, the HR department should be keeping its eye on the ball and having its say too.
See also:
Is that coffee-shop Wi-Fi connection the real thing? 08 Dec 2004
The latest scams can affect far more people than the original recipient 01 Dec 2004All Hacking
del.icio.us
Digg this
reddit!
