Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2001 >  May 2001 >  How employees put business security at risk

How employees put business security at risk

OUT-LAW News, 03/05/2001

Digital security consultancy @stake yesterday revealed that corporate employees who fail to implement basic security procedures are the biggest single cause of security breaches within the organisations it has worked with.

Royal Hansen, practice director for @stake Europe, said, "Too many companies believe that IT security is a product issue. In fact, human beings are the weakest link in any security system. Expensive and elaborate security measures are often completely undone by a company's failure to enforce even the most simple precautions, opening up the entire corporate infrastructure to malicious attack."

Hansen continued, "There is no magic bullet for internet security. It is a process, not an event. However, companies need to think holistically about how they implement security and people are a major part of that equation. The sooner companies integrate human error into their thinking and take appropriate safeguards, the safer their systems will be."

According to @stake, the ways employees compromise security at corporate sites are:

  • Writing their passwords on Post-It notes and leaving them on or near their machines. In an extreme example of this, @stake has experienced instances of a systems administrators loading all passwords to all servers on an (unprotected) Excell spreadsheet and leaving a paper copy of the spreadsheet stuck on the desk near the administration console.
  • Setting their default passwords to be the same as their primary password.
  • Entering an existing password when the system prompts for a password to be changed.
  • Loading encrypted discs onto a system, failing to remove them and leaving the password open.
  • Plugging modems straight into servers and bypassing multi-level corporate security systems.
  • Plugging servers straight into the internet bypassing routers that may be acting as firewalls.
  • Issuing security certificates with blank passwords.
  • Failing to enter a password into Microsoft's server administration system so leaving a blank default password that compromises the whole corporate system.
  • Carrying (and subsequently losing) laptop computers loaded with company secrets.
  • Failing to keep up-to-date with and implement newly released patches issued by software vendors as breaches are discovered. For example, an Amazon.com employee failed to install a patch to a Microsoft Internet Information Server, allowing attackers using it to obtain credit card numbers and client information over a four-month period.

See also: Companies underestimate internal threat of e-fraud, OUT-LAW News, 02/04/2001

 

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.