Security Watch | Matt Hines » Auditors - employees missing big picture risks

October 29, 2007 | Comments: (0)

Auditors - employees missing big picture risks

TAGS: Security

If your company is undergoing any type of IT security audit this year, there's a strong likelihood that the experts who come in the door to test your systems will be somehow associated with, or certified by, ISACA.

The nonprofit organization -- formerly known as the Information Systems Audit and Control Association -- serves as an industry body representing the professionals who carry out regulatory audits covering SOX, HIPPA and PCI -- among other regulations, and who will become intimately familiar with all the weak points of your company's networks, applications and security policies -- should you have any. (writer stifles laugh)

In a new study to be released later this week, ISACA is sharing the results of a survey it sponsored that reviews just how significantly the human factor is currently playing into the whole process of IT security.

The results highlight the fact that despite all the strong technology and comprehensive process that many organizations have been pushing to adopt in recent years, that it is in fact people who remain one of the most significant vulnerabilities inside many business environments today.

For starters, ISACA's study -- which was actually carried out by MARC Research, and involved phone interviews carried out with roughly 300 white collar workers during Q3 2007 -- found that 35 percent of those surveyed admitted to violating their company's security policies at least once.

Combine those results with the notion that many of these types of incidents also likely occur without employees' knowledge of their mistakes, and the survey result gains even more weight in terms of its overall gravity.

Among the technologies that the workers interviewed admitted to using that could compromise their employers' policies were P2P file-sharing services, with 15 percent of those surveyed claiming to have utilized the tools while at work.

P2P applications are frequently cited by security researchers as an increasingly popular vehicle for delivering malware and other attacks to end users, or for creating botnets of infected devices.

Seemingly even worse, 65 percent of those interviewed reported that they are unconcerned with securing their privacy while using a workplace computer in general, and 63 percent said that do not worry about the security of the information they handle at work whatsoever.

Somehow I'm thinking those people interviewed were not working at large financial service companies… but consider that they likely could be working at retailers or some other type of company that holds your personal information, someone like TJX Companies, for instance.

Of those people who said they are not worried about organizational security issues as they go about their work, 74 percent said that they do not feel it is a risk to their employer to download personal software onto their work PCs, even if some of it might constitute malware or some program that could lead to infection.

Consider that security researchers frequently cite well-known and widely-used applications including IM and VoIP client software programs as among the most popular avenues for potential attacks today.

The more worrisome group of respondents to the ISACA study also identified personal e-mail as another favorite application they feel appropriate for work usage, with 73 percent admitting that they tend to use the tools while on the job.

How dire a situation that fact might indicate is again unclear based on the types of jobs these people surveyed are performing. For instance, if they're reading Gmail while working in anything other than a tightly-controlled environment where workers have access to lots of sensitive data that could be copied -- or they aren't working at a financial services firm where outside e-mail is typically banned -- this result might not be surprising or shocking.

On the other hand, if they are in one of those more security-centric settings, it's a really big deal.

In addition to providing a means for contracting potential malware attacks using such a tool that essentially flies under the network's radar, the ability to cut-and-paste corporate information and send it out of the company network presents a massive risk for leakage or corporate espionage.

ISACA takes a predictably conservative stance on the use of such programs, and a lack of security acumen among workers, since it backs these auditors who are performing the work. But consider the implications for the auditors themselves, some of whom will be responsible for handing out failing compliance grades that lead to financial penalties, or even jail time, for those responsible for securing the systems that are being tested.

At the end of the day the most important thing is that workers understand the implications of their jobs in terms of how they effect your organizations' bigger picture considerations, experts with the group maintain.

"Companies and employees should be very concerned about their personal and corporate data in light of this information," said John Pironti, a security expert at services provider Getronics who also reps for ISACA. "A single seemingly harmless activity, such as using peer-to-peer networks while at work, can breach the confidentiality and security of an entire corporate network, including all of the documents, data and internal communications that reside on that network."

Such research forces one to consider just when it will be that the companies who are being audited and/or experiencing data leaks begin seeking jail time and civil penalties against workers who fail to follow corporate policies.

My guess is not long now.

Posted by Matt Hines on October 29, 2007 09:39 AM

RATE THIS ARTICLE: