[ISN] When staff can be more dangerous than hackers

Wed Sep 29 03:56:18 EDT 2004

http://straitstimes.asia1.com.sg/techscience/story/0,4386,275155,00.html

By Chua Hian Hou 
SEPT 29, 2004

COMPANIES here more concerned with preventing computer viruses from
attacking them, are neglecting their biggest information security
threats - their employees and business partners.

Mr John Ho Chi, principal of Ernst & Young's security and technology
risk service, said insiders are dangerous because they 'know where
your most valuable information is, already have trusted access to your
system, and may even know how to get away with it or cover their
tracks'.

For example, an unhappy business partner with access to a company's
price lists can share this access with the company's competitor,
allowing him to see the prices.

Or a disgruntled employee can change the details of customers' orders,
causing havoc to the company's operations, he said.

While a virus or a hacker may cause damage to a company, it cannot do
so undetected and certainly not to the extent a malicious insider with
intimate knowledge of the company can.

Findings from Ernst & Young's Global Information Security Survey 2004,
which included 43 local companies, showed Singapore firms know
security is important. Many invest heavily in firewalls and anti-virus
software to guard against external threats such as viruses and
hackers.

However, these firms pay less attention to internal threats, said Mr
Ho.

According to the survey, nine out of 10 local companies rank external
threats such as viruses and hackers, loss of customer data and
confidentiality breaches as their most important threats, compared to
seven in 10 which are concerned about breaches by disgruntled
employees or business partners.

Mr Ho said publicity given to virus outbreaks and hacker attacks has
highlighted external threats and made them appear more dangerous than
internal threats.

What local companies don't realise is, 'when it comes to employees and
business partners, the only thing standing between the company and
fraud is... trust'.

Woo World, a 10-man mobile games distributor, experienced a malicious
breach last year, said its technology manager Chai Swee Kheat.

An employee had deliberately deleted files he was not supposed to
modify. Fortunately, there were back-up copies and the company did not
suffer too badly in this case.

Lest companies believe their staff are made of sterner stuff, a global
fraud study by Ernst & Young found that one in five employees knew
personally of incidents where colleagues had stolen from their
employer.

'In other words, there are a lot of untrustworthy employees out
there,' warned Mr Ho.