The media always seems to have some reports of hackers gaining access to sensitive company data, and those threats are very real. The nature of our connected networks means attacks can come from anywhere in the world.
Most prudent companies make a concerted effort to protect their IT infrastructure from attacks from the outside – using firewalls, address translation, intrusion detection and other schemes to thwart cyber-criminals.
However, there is another attack vector many companies overlook: threats from within the network. Disgruntled employees behaving badly is an obvious concern, of course, but here are three others to consider with regards to internal threats:
Unintentional Threats from Employees
Remember the old days when well-meaning employees might introduce a virus through the use of an infected floppy disk? We don’t have to worry about that so much but consider these points of entry for malware, enabled by an innocent employee:
* Infected websites – even when using the Internet for legitimate business purposes, search results often include sites infected with malware, and visiting those sites can introduce a virus or worm into the user’s computer, and then into the network.
*Infected thumbdrives – this is the modern equivalent to the old floppy disk danger, it’s just a different storage device. The employee gets some data or a program from outside the network and when they plug that drive in, any infection on that thumbdrive can propagate through the network.
*Email social engineering – good virus software can prevent malware from launching automatically when attached to emails. But links to infected sites, or “phishing” attempts can get employees to follow a link or be fooled into providing malware a way into your network.
A clear (and enforced) Company Security Policy, coupled with a corporate culture of security awareness and education, can greatly reduce these types of internal threats.
Inside Access from Non-Employees
It’s not just employees who access the company network. In many cases, suppliers and even clients may have some access to data or applications on your network. Your company’s Security Policy should define the level of access for all users on the network. The rule of thumb is, everyone should only have the minimum level of access they need to do what they need to do. One size does NOT fit all when it comes to user access policies!
In addition, the Security Policy should provide for immediate deletion of user accounts whenever the need for the account goes away (employees who leave, changes in suppliers, etc.) Every extra active account is an internal threat to your network security.
Controlling Access Within Cloud and Virtual Environments
Cloud and virtualization technologies have provided some great benefits with regards to manageability, flexibility and cost savings. However, close attention must be paid to ensure that users accessing systems in the cloud, and/or virtual machines can only access the systems and applications that they need.
There are tools for securing these environments, and they should be used. Also, pay some attention to what regulations your business must follow to demonstrate compliance. The financial and healthcare industries, for example, have very specific requirements with regards to data storage and security.
In general, it’s best to address the issue of Network and Data Security from the top down, rather than the ground up. Devise an appropriate Security Policy and make security awareness a part of your corporate culture. Make sure it applies to everyone, and enforce it. You should also re-assess your infrastructure’s security at least annually.
Clare Computer Solutions can help with a lot of the planning, evaluation, implementation and maintenance of your company’s data and network security. A place to start is with a Disaster Recovery and Business Continuity plan. Security breaches can be very costly – they could put you out of business. Take the time to protect your business!