Unmasking Security Threats in the Workplace

Monday, February 28, 2011

Lindsay Walker


Corporate security risks can creep up on you from anywhere in your company. Most people think that the greatest risks reside outside of the organization, from hackers trying to get their hands on company lists and other information they can sell.

Unfortunately, there are still a lot of internal risks that need to be addressed, as employees remain a major corporate security threat as well. Keeping up to date on new threats is important, as cyber-criminals and those from within your company can move from one scheme to the next in the blink of an eye.

Knowing where to start can be difficult. In the SANS document, "The Top Cyber Security Risks," it states:

"The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first."

Common Corporate Security Threats

In order to determine where to start, you need to assess the workplace and figure out which threats exist inside and outside of the organization. Then, you'll want to prioritize these risks to figure out which ones to address first. Here are some of the common security threats your company might encounter:

Human Error: Intentional or not, people are security threats. Some examples of common human errors include:

  • Misplacing information.
  • Opening spammy emails.
  • Failure to properly process information.
  • Improper disposal of documents (electronic and paper).
  • Sending email to someone other than the intended recipient (one of the dangers of auto fill!)

Disgruntled Employees: If your systems aren't secure, employees could be stealing all kinds of data before anyone notices it. There are a lot of reasons why a disgruntled employee might engage in these types of activities, including the fact that the employee see the opportunity and could use the money, or they feel the desire to take revenge on the company. Simple measures such as removing disc drives from computer towers can make a difference.

Cyber Criminals: Cyber criminals have developed a number of sneaky tactics to break into systems to get the information they want. In an article I read about a big-time cyber criminal in the NY Times, it almost seemed as if it wasn't about the information or the money, but simply the ability to hack into as many systems as possible. The tactics used by cyber criminals can be hard to catch, as many companies report that their systems had been invaded long before they knew anything was wrong.

Property Theft/ Misplacement: Information stored on laptops, USB keys and other portable devices increases security risks as these devices can be misplaced or stolen. These devices must be guarded by strong passwords and other recognition systems- facial scan, fingerprint, etc., in order to make sure information stays protected.

Insufficient Network Security: If your systems aren't properly guarded, it's easy for someone to break in. There are tons of ways that hackers weasel their way into your systems, so I recommend consulting a security or IT professional to find out which types of attacks you need to be on the lookout for. Find out which ones are most common and which ones could do the most damage, this way you can prioritize your actions.

Accessibility: When everyone has access to information in your organization, everyone could potentially steal that information. Sensitive information or information that doesn't pertain to one's job shouldn't be accessible to that employee. Clearly defined access roles make it easier to take control over sensitive information.

Social Media: The main security risk surrounding social media is personal information breaches and the sharing of confidential information over these networks. Some people post work related information in a Facebook wall post or when tweeting at someone, making the information available for a lot of people to see. There's a time and place for everything, and it's probably best not to have sensitive work related conversations with a colleague on a social media site.

Corporate security is the responsibility of everyone in the organization - not just the IT department. Security requires commitment from the upper-most levels of the organization so that the appropriate resources are available. No employee should be lazy about corporate security.

Possibly Related Articles:
Enterprise Security
Enterprise Security Insider Threats Access Control Social Media Network Security Employees
Post Rating I Like this!
Lai Sun Chan I fully agree that employees remain a major corporate security threat. Hence, I have always said that security is about managing human behaviour. The counter-measure to deal with human threat is create strong security culture within the corporation and inculcate employee royalty program.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.