Carroll County Times Articles
Insider Security Risks Are Often Neglected
by David Hodgdon – August 3, 2008
These days most companies can survive loosing their employees but would be out of business within days of losing their data. In past columns I have discussed external threats to data. Today let's focus on "insider" attacks by employees, IT consultants, etc. The news from San Francisco of the disgruntled system administrator who held the city's network hostage shook the IT industry to its core. But before you dismiss this as a big business or government problem, consider the case of a small Frederick MD company. Because the office atmosphere was much like that of a family, no measures were taken to safe guard their data or network the day they downsized. Arriving at work the next day a horrified owner found one of the former employees had deleted all files and email they had access to. Much of the data contained legally binding agreements and information stored only on the network. This company was fortunate because their IT consultant had a strong off-site backup procedure in place. Would your company have been as fortunate? There are ways a thinly staffed and cash-strapped small business can protect itself from these insider threats.
Conduct a risk analysis of your data and systems. Work with your IT consultant to determine what data you have, how sensitive it is and where it "lives". Break it into at least three classifications, public, sensitive and critical. Public data is information that is obtainable from other sources like names and addresses of clients, marketing materials and so on. Sensitive is the information that could harm someone or your company if released; for example Social Security and credit card numbers. Critical data is data which if lost would destroy the ability of your company to do business.
Limit access to data both physically and electronically. Restrict physical access to the company server and network storage devices. Restrict electronic access using passwords and security groups with the software included in every server. Keep a copy of your daily data backup off-site. If you have a large facility implement a color coded badge system that everyone, including visitors, must wear. They don't have to be fancy electronic badges. Get some colored paper and plastic laminate from the local office supply store and make them yourself.
Restrict network access of smart phones and portable storage devices. Smart phones and USB flash drives are a great convenience but they come with a high security risk. Most networks that have a server can be configured to disable USB storage devices. Restrict smart phones to email access and only to those employees that require mobile email to perform their job.
None of this is as difficult or expensive as it sounds. However it does require the knowledge and experience of an IT professional to implement and, once implemented, your system needs to be monitored and enforced.
About the Author
David Hodgdon is the owner of Hassle Free IT Services (www.HassleFreeITServices.com) of Westminster and a member of the Carroll Technology Council. He can be contacted for computer support questions at 443-340-3166 or by email at info@hasslefreeitservices.com. Business owners mentioning this article receive two hours of free support.
