Human error and malicious leaks are threats for ’08


1 Feb 2008

Despite firms investing heavily in security systems and software and putting stringent security procedures in place, human error and malicious leaks are the major threats facing businesses and government organisations in 2008, a security analyst at McAfee told siliconrepublic.com.

Greg Day of McAfee said that the standard enterprise invests in 20-plus different security products ranging from virus protection and patch management to firewalls and virtual private networks.

“The scope for security products is mind-boggling. You could spend more than any business can afford and still be compromised,” Day warned.

Managing the vast array of security technologies at work in the average business will be a nightmare for firms and Day predicts that in 2008 investment in management consoles to pull together disparate pieces of information on the overall security picture will be key.

“Security has moved from being a technical requirement to being a business requirement. But at the same time, the business wants to understand why it’s spending all this money on technology.”

Day said major data security scandals in 2008 have demonstrated to businesses that more stringent methods are needed which will transcend both products and processes in the workplace.

“Things have crept out of the woodwork that have shocked everyone. A third layer of security is now needed; not only blocking threats but taking proactive measures to mitigate future threats we know nothing about.”

The real point of failure in 2007, he said, was a combination of people and processes. Day cited the human error that saw 25 million records on welfare recipients go missing at the UK Inland Revenue when a junior official organised for CDs to be sent by courier.

“This was a junior official trying to be helpful, not malicious. The Inland Revenue had the tools to protect its perimeter from hackers and it had stringent rules that the information was never to leave its buildings but these rules weren’t being followed. Someone didn’t understand or follow the procedures and we need to ensure that procedures are enforced and being adhered to.”

Day also pointed to a situation which arose in Ireland whereby a civil servant in the Department of Family and Social Affairs acted as a mole on behalf of his criminal brother and passed on information including PPS numbers and financial information. This resulted in a burglary and a separate attempt to extort money from three businesspeople.

“Organisations need to look at how people and processes can undermine their entire IT investment. Not only should they be worrying about stopping the threat but they should consider the cost of the loss of information – the crown jewels – can be catastrophic.

“A new layer of security is required that demonstrates an understanding of the value of data, who it should be used by and there should be measures and controls to keep it safe,” Day said.

By John Kennedy