At a recent gathering of both good and bad hackers in a dingy pub in Leicester Square, I asked them whether the economy was opening up new opportunities for them.
The response was an overwhelming “yes”, with nearly everyone agreeing the cutbacks had led to jobs being outsourced and, with fewer folks in IT looking after security, there would be more room for vulnerabilities and mistakes to emerge.
They were also quick to state that the sentiment among redundant employees was that of disgruntlement, making them more inclined to exploit loopholes in their previous employers’ networks.
Demand for data
The hacker community reinforced findings Cyber-Ark unearthed in a recent survey it conducted among office workers in London’s Canary Wharf, New York’s Wall Street and also in Amsterdam.
Of the 600 workers surveyed, 56% said they were worried about losing their job because of the economic climate and, in anticipation, over half admitted to downloading competitive corporate data which they had identified as a useful negotiating tool in preparation for securing their next position.
At the top of the list of desirable information to steal is customer and contact databases, with plans and proposals, product information, and access/password codes also popular choices with a perceived value.
Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading huge amounts of data, which is why, according to the Cyber-Ark survey, they are the “weapon of choice” to sneak out data from under the boss’ nose. Other methods were photocopying, emailing, CDs, online encrypted storage websites, smartphones, DVDs, cameras, Skype and iPods.
It is not all doom and gloom, however. The survey also discovered that 70% of companies had implemented restrictions to prevent employees from taking information out of the office – although that still leaves a worrying 30% unprepared.
In the current economic climate, employers need to be able to trust their staff, yet with everyone jittery about keeping their jobs, the instinct is to look out for number one.
The result is that employers need to be stricter about locking down sensitive and competitive information. If times get hard, and they invariably will, companies need to ensure that any cutbacks are not deeper then expected when stolen data unexpectedly eradicates any chance of survival.
CyberArk advises business only to allow access to your most critical assets for those that really need it and make sure it is encrypted. l
Ringfence the risk
- Only allow staff access to the information they need for their everyday activities. Install multiple security layers according to the value of the information, and use a digital vault, where you can encrypt the company’s most critical assets.
- Regularly change passwords on administration accounts or privileged accounts accessed by more than one user, as these power passwords are often shared.
- Drum into your staff the importance of respecting company data and make sure you instill good IT security housekeeping rules.
- Make sure you have an audit trail for sensitive and important data. That way, you can track who has access to what information and can check who is accessing it.
- Have a strict password usage policy that means all users within the company have to change passwords regularly, mixing numbers, letters and symbols, and ensure they are kept secret.
- Have a strict protocol for remote users and administer security products onto mobile devices centrally. Deploy the best, most transparent, encryption technology that does not impede the device or impact the user, otherwise they will do their utmost to bypass it.
- Have protection in place against data deletion and loss. Earlier file versions should be retained, ensuring an easy way to revert to the correct file content or recover from data deletion quickly.
- Always use digital signatures so that unauthorised changes in files are detected.
- Make sure you have end-to-end network protection. Security must be maintained while data is being transported over the network.
- Maintain process integrity at all times. It is critical to be able to validate that data transfer is executed correctly. It must provide auditing features, data integrity verification, and guaranteed delivery options.
Mark Fullbrook is UK director for Cyber-Ark Software
This was first published in February 2009