Roadblock: Insiders


THE OBSTACLE

Half of the almost 500 corporate security professionals responding to the FBI/Computer Security Institute’s 2004 Computer Crime and Security Survey said an insider had breached their organization’s computer security. So how does a company provide access to its systems to employees, and still safeguard the intellectual property and trade secrets that are its competitive lifeblood.? Jim Litchko, a security expert with 30 years’ experience and author of the Know book series-including [ital]Know IT Security and [ital]Know Cyber Risk-provides the following tips to help companies protect their secrets while maintaining employee productivity.

THE RESPONSE

Limit access.
The most obvious separation. Don’t assume that every person needs access to every piece of information. And when you do allow access, keep your eyes open. When Litchko was in college, a car building company allowed university students to tour its premises as a kindness to the engineering department. One student had a camera and took pictures in the company’s drafting area of drawings of a new transmission. After the student patented the design, the company had to buy it back. Keep sensitive areas closed off. Hide valuable objects or processes.

Educate.
Guard access to data. Review all public releases of information. Combine the watchfulness with “heavy, continuous awareness training” so managers and employees understand what the bounds of public information can be, Litchko says. Sometimes dramatic action is required, such as firing an accountant who shares salary information someone not authorized to have it, even collegially. “Sometimes fear makes a point,” he says.

Monitor visitors.
Check backgrounds of regular visitors-and any visitors to sensitive parts of your operations. Watch activities of any outsiders on your premises. Litchko recalls a graphic arts company whose systems kept slowing down. Months later, an investigation revealed that the culprit was the cleaning crew, which was stealing the memory off the company’s computers and reselling it. In sensitive areas, employees can push a vacuum cleaner around and carry garbage outside the room, Litchko says.

Understand who’s unhappy.
One company Litchko investigated lost 10% of its people after an e-mail circulated with staff salaries on it. Productivity plummeted as employees wondered why others made more or less money than they did. The breach of such confidential information was a mystery for a while because the accounting system was physically separate from the rest of the computers. The culprit turned out to be a member of the firm’s computer maintenance staff, according to Litchko. Since he was known to be unhappy, he should not been permitted to handle sensitive data.