Security News > 2005 > November > Uninformed staff pose security threat: Expert

Uninformed staff pose security threat: Expert
2005-11-29 06:46

http://www.computerworld.com/securitytopics/security/story/0,10801,106565,00.html By Brian Eaton NOVEMBER 28, 2005 ITWORLDCANADA TORONTO -- All it takes is one employee to unknowingly compromise a network's hard outer shell. And when that happens, all other security measures could simply melt away, said Clemens Martin, founder of the Hacker Research Lab at the University of Ontario Institute of Technology (UOIT). "The reality is many businesses are operating under a false sense of security," said Martin, who is also director of IT Programs at UOIT. "All too often, we see corporate networks that become compromised by an 'igloo effect' of sorts." The good news is that many corporate executives are becoming increasingly aware of this risk. Most business leaders polled as part of a recent Fusepoint/Sun Microsystems/Leger Marketing survey stated that the greatest threat to their data security was not likely to come from a malicious external attack, but rather from the hands of an uninformed employee. Martin also believes the private and public sectors have similar security concerns. He said that in both sectors the infrastructure used is similar, and malicious attackers are keen to infiltrate both. There is a common interest among the "bad guy community" to get inside networks in both sectors, and attacks designed to fool uninformed or undereducated employees and public servants are becoming more sophisticated, Martin said. Depending on an individual's e-mail settings, and security products in use, an e-mail may just have to be clicked on -- without any attachments whatsoever being opened -- for the attacker to get in, he said. "If you look at HTML-formatted e-mails, just like a Web page, there can be embedded code that can download," Martin said. "There is a risk, but there is also protection." Martin pointed to products from Cupertino, Calif.-based Symantec, but also noted that security software and conventional insurance are two different things. "You can buy an insurance policy for almost anything," Martin said. "But you can't buy insurance to hedge against IT security risks because the problems are not understood as well as earthquakes or fires or car theft. Those [problems] have been well studied over years and years." Most IT security problems are studied in computer science departments, he said. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,106565,00.html

Related news