Most employees never saw the email, since the company’s spam filters caught it. But one employee, who accessed the network from a personal laptop without the filtering software, did receive the email. He clicked.
With that one click, his every move — keystrokes, passwords, access to the company’s network — could have been seen by the email sender.
In this case, the sender wasn’t a true hacker; it was Sacramento Technology Group, a Folsom-based network security company hired to test the network’s security weaknesses. The strategy’s successful breach highlighted the biggest information security risk facing companies today: employees.
“Employees are definitely the biggest security risk,” says George Usi, president of Sacramento Technology Group. “But most of the time, it’s not intentional; it’s accidental.”
Accidental or not, the risk is significant as there are simply so many opportunities for employees to poke holes in a company’s technology security. Companies of all sizes are at risk from employees using everything from rogue wireless networks to personal gadgets to information shared on social networking. In the Sacramento region, local security experts say there’s another factor at play: the belief that hackers only target large companies.
“One of the common comments I hear is that, ‘No one cares about me: I’m too insignificant. [Hackers are] interested in Proctor & Gamble and Coca-Cola and the Department of Defense, so I don’t need to be concerned,’” says Tim Burke, president and CEO of Quest, a technology management and consulting firm in Sacramento. “But it’s like a guy randomly walking down the street and checking each door to see if it’s unlocked. (Hackers) are out there twisting doorknobs to see if they’ll open. If one does, they’re going to go inside and see what they can find.”
When Quest’s experts first visit clients on site, they check for access to the company’s wireless network. Burke says he’s seen more unsecured access points to company networks than he would have expected, but not because the company’s official wireless network isn’t secure. It usually is. Instead, access points result from wireless routers set up by usually well-meaning employees.
An even bigger source of potential risk comes in the form of personal gadgets. From smart phones to personal laptops to tablet computers, employees own a variety of personal devices, and they often want — and expect — to access their work on them. That’s both an asset and a security risk to companies, Usi says.
What if a laptop, phone, or portable USB drive containing company information is lost or stolen? If an employee hooks up to the network via personal gadget, how does the company make sure the device has the proper security software? How does the company guarantee email attachments are screened? As the example from Sacramento Technology Group shows, it’s all too easy for a malicious email to make its way into the company network via personal device. It only takes one employee.
Forwarding company emails to personal accounts also potentially threatens information security, as can saving information in third-party cloud systems that don’t have the same level of protection the company’s network carries. Posting company information on social media websites, including seemingly benign facts like an employee’s job title, can help hackers craft more believable phishing emails.
Given these realities, how can companies protect themselves?
They need to be vigilant about installing firewalls, Burke says, but it’s simply not enough to install a firewall and call it a day. Any security system that is several years old needs to be updated. Are executives aware who monitors the firewall? Would the company even know if its network had been breached?
“I’d love to tell you you’re not going to have an intrusion, but the reality is that you probably have already or will,” Burke says.
With that in mind, he says, companies must ensure they can interpret the information that security software provides. He comes across few local companies that use the information generated by firewalls to compare it with known security threats. Too often, he says, companies simply have no idea their system has been infiltrated.
As Usi points out, there is no such thing as being 100-percent secure. When it comes to accessing the company’s network from outside, Usi recommends companies use multifactor authentication, or require users to pass multiple security tests. This could include a combination of items such as passwords, texts sent to a mobile phone, questions only the employee could answer or even finger scans.
Todd Bollenbach, principal owner of GNT Solutions, a Sacramento-based IT provider, believes companies should limit remote access to USB drives, phones, or similar devices as much as possible. When access is allowed, he says, policies should spell out employees’ responsibilities. That could mean everything from not copying files onto personal devices to understanding that if a device is lost or stolen, the company may remotely erase anything on it.
Bollenbach acknowledges such policies are not exactly feel-good approaches, but says they often make sense to employees once they’re fully explained.
More often than not, he says, employees are not trying to be malicious in exposing companies to security risks; they simply aren’t aware of the potential ramifications of their actions.
That’s where employee education comes into play. One way to keep employees up to speed is by reinforcing the message of information security during company meetings and explaining why it is so critical.
“You have to communicate with them, and let them know what’s going on,” Bollenbach says, adding that he believes such security training makes a difference. “Nobody wants to do anything wrong.”
Many of his clients now hold ongoing seminars about social networking and how employees’ use of it could impact the company. It’s an example of how employees, while a company’s biggest security risk, must be included in addressing it. The risk will always be there, just as there will be hackers trying to exploit those risks. The key is adopting both the right tools and the mindset to address the problem.
“In a sense, it’s a Cold War,” Burke says. “As you mount more defenses, the bad guy mounts more offenses. It’s kind of that type of ever-escalating situation that’s always going to be there. There’s no magic bullet that’s going to fix it all. Companies have to constantly be vigilant.”
Instead of sitting down to watch White Christmas or another streaming movie or TV show, Netflix online video users huddled around their television on Christmas Eve were greeted with an unfortunate message: the online content was unavailable.
For companies needing data security and backup, the Sacramento region boasts some of the safest and most affordable data centers in the West. It’s so desirable, in fact, that Twitter has joined Yahoo Inc., eBay Inc., Wells Fargo & Co. and a host of other Fortune 500 companies in storing its data in or near California’s capital.
While most businesses are postponing investments and stashing cash, at least one expense is expected to grow this year: information technology.