IT security, for employees too

By | June 13, 2005

Health and safety rules in the workplace have a clear objective: to prevent accidents and illness among workers. Nevertheless, each rule can be seen from two quite distinct viewpoints: that of the worker and that of the employer.

In the construction industry for example, if a worker wears a helmet he is protecting himself from harm. If, however, the employer makes the worker use a helmet, she is protecting her workforce, ensuring that the company´s productivity is not affected.

Beyond these points of view, there are wider advantages arising from these security measures. In a safe company, the working environment is better. Simply installing pollen filters, say, in the air-conditioning system, means that the air is healthier and people´s work will benefit. Alternatively, a security guard on the door would prevent just anyone coming in and wandering around, generally making employees feel more comfortable.

However, many companies are still to implement adequate intrusion prevention systems across their IT resources. Protection against malicious code is widespread, as business people and those in charge of IT systems are well aware that there is a high chance of losing information if systems are not protected by an antivirus. So, this protection extends to client databases, projects, proposals. basically, the information behind the operation of the company.

But there is a higher level that we need to reach in terms of protecting systems. It is not just data that is under direct threat, but also money. There has been a huge increase in the number of malicious code created in order to generate financial gain and we have even seen malware that encrypts files on a victim´s computer and then demands a ransom in order to release them.

The threat to all users of so-called ´phishing attacks´ has also become a widespread concern. This type of threat typically involves sending an email to a group of addresses (as spam) informing of a (non-existent) problem with the users Internet bank details. In fact, the whole setup is a scam and those who fall for it could be in serious trouble, as they may have given fraudsters access to their bank account.

In all these cases, a company could simply decide to ignore the problem, as after all, these are just traps into which the user might fall, without further implication for the productivity of the company. However, let´s now go back to the pollen filter. An employee´s pollen allergy is not a problem that the company should resolve, but surely providing the purest possible air for employees comes within an employer´s responsibilities.

The same can therefore be said of corporate IT installations. Employees need protection that goes beyond simply filtering out malicious code, as malware now extends way beyond classic viruses or Trojans.

In some cases perhaps, companies may react thinking that their own accounts could be under threat, but with the internal controls that there are within administration departments, phishing attacks are virtually useless on a corporate level. It is by no means impossible nevertheless, that this situation could change in the future.

Today´s definition of ´malware´ doesn´t just include executable code, even if the word does derive from ´malicious software´. For something to damage IT installations it does not necessarily need to be software, it could just simply be an email message. No one could deny the negative effects of spam, yet an email message, irrespective of how much of Viagra it is advertising, is not software; it is a message that can be read in one way or another, but cannot, in theory, carry out any tasks on the system, no matter how annoying it can be.

The same applies to phishing, which is not executable code but is nevertheless extremely dangerous and so some type of anti-phishing filter needs to be included in corporate protection systems. The use of the different tools within security systems to deal with different problems means that the system loses its integrated perspective, and holes appear that are difficult to cover.

In addition to all these threats there is another which is not given sufficient attention by companies: spyware. All too often, spyware is thought of as a problem for end users – for home computers. These users are the same as those who are using computers in companies and although the information that these spy programs try to steal often refers to the Internet habits, don´t forget that spyware often includes keylogging functions. A list of the keystrokes entered by a worker perhaps won´t throw up any credit card numbers, but it may reveal no end of information that competitors would climb over each other to get hold of.

Despite classic security measures against industrial espionage, companies need to bear in mind that a supposedly innocuous browser bar installed by an employee (and not detected by the anti-malware system) could be the undoing of a million-dollar project. Or on a less dramatic scale, could simply be the channel through which numerous email addresses for into the hands of spammers.

If today´s companies want to establish effective security, they need to ensure that all risks -whether they attack the company directly or the employees- are monitored and countered. Today´s global concept of IT security offers, and demands, complete solutions for complete security.

Leave a Reply