The Blending of Physical and Information Security Threats

The coming wave of security threats will increasingly be blended with physical and information components. CSOs who want to prepare for these attacks will have to meld their defenses to meet the challenge.

For instance, Shaklee Corp., a personal and home care product and nutrition supplement company, is a subsidiary of a pharmaceutical company that animal rights groups want to target. Individuals who have a secondary relationship to such companies have also been targeted. In one instance, members of SHAC posted personal information online for a stockbroker for Huntingdon Life Sciences. When that had no effect, they posted the personal information of his neighbors.

Such threats will also carry over to employees as they travel overseas. "Today's modern executive needs good physical protection measures and proper intelligence so they know what to avoid when traveling," says Hancock.

Several high-profile executives have had ransom demands delivered and negotiated via cyberspace when a family member was kidnapped, and their personal information has been stolen for identity theft (see "Q&A: Frank Abagnale," Page 42). Hancock notes that the home computers of executives will continue to be targeted for "harvesting" by competitors, and CSOs will have to ensure that their departments work closely with every employee who has access to sensitive information so that they can secure their computing environments no matter where they work.Keep Friends Close Sun Tzu might rethink his philosophy of keeping friends close and enemies closer if he were contemplating the security challenges of a Fortune 500 company. One of the threats that CSOs faceparticularly those working in the critical infrastructureis the possibility of employing a hacker, corporate spy or other individual who wants to gain a trusted position within a corporate network for nefarious reasons. "Hiring practices and background checks haven't kept pace with threats," notes the Terrorism Research Center's Devost, "and there's increasing concern that it might be easy to get someone hired into a legitimate position and have them collocate with a target inside the firewall to engage an attack."

Fueling the espionage aspect of that problem is a tight economy; people are looking for illegitimate ways to use their skills and earn more money, and corporations are desperate to find any way to gain a competitive edge. Most of the time, a skilled corporate spy can get in and out of a network without anyone ever knowing he was there. "You can spend a lot of money to protect against the attack from the outside, but once you bring somebody into camp, the threat goes way up because the greatest damage comes from an inside threat," says the FBI's Hendershot.

Not only should companies review their background check and hiring procedures, but they should also review who has access to which systems and documents. "Determine where you will draw that line of trust," Hendershot suggests. "Should a person in sales be reviewing R&D documents? Should a person in finance be looking at our marketing theory? CSOs turn on intrusion detection for the outside, but what's going on inside, and does it make sense?"