Security threats explained: Internal negligence
Training, budget and policies the best prevention say ICT security experts
By Hamish Barwick
June 13, 2012 — IDG News Service — In this series, Computerworld Australia examines some of the information security threats facing small business and larger enterprises today. We begin by speaking to experts about the problem of 'internal negligence' and company processes that can put businesses at risk of a data breach.
Internal negligence, according to Quest Software, can be defined as an offence committed by staff members, such as forgetting to check log reports for suspicious behaviour, that leads to company documents or financial information being leaked out of the enterprise.
However, negligence can occur in simple ways such as the result of losing a USB stick containing company information. For example, security vendor, Sophos, purchased three bags of lost USB sticks at a Rail Corporation auction in Sydney, Australia, last year. The recovered files included images, documents, source code, audio files, video files, XML files and AutoCAD drawings.
The threat of internal negligence
In an age where information and data are the lifeblood of any organisation, data loss as a result of internal negligence is one of the most prominent issues keeping IT security executives up late at night, according to IDC Australia senior market analyst, Vern Hue.
"The extent of data loss goes beyond the obvious loss of valuable and sensitive information, making data protection both a business and technological concern," he says.
Internal negligence which leads to data loss can affect a company's bottom line, as the remediation exercise is often very costly and time consuming.
"What is most worrisome is the loss of brand value and brand equity due to the loss in confidence by the different stakeholders," he says. Brands can have their reputations tarnished and years of painstaking efforts in branding and goodwill undone due to internal negligence.
"Some organisations just cannot rise again after such an impact," Hue warns.
Pure Hacking chief technology officer, Ty Miller, says internal negligence arises for a number of reasons. This includes minimal or no IT security budget allocation, a lack of resources dedicated to IT security, missing security policies and procedures to ensure a baseline level of security, and a lack of security training for employees.
"This type of negligence leads to the introduction of countless risks within the internal corporate network, systems and operations," he says.
For example, a minimal IT security budget means that security systems are not put in place to detect and protect vulnerabilities from being exploited by rogue users and savvy remote attackers.
"If an organisation doesn't have the skills and resources dedicated to IT security then the governance policies, processes and procedures will not be created," Miller says. "These act as a security guideline to secure the organisation from attacks. If these are not in place then security breaches are certain to occur and audit trails will not be in place to ensure a digital forensic investigation can be carried out."