Could you breach your own company's security defences? Of course you could - you work with computers every day. In fact, you've probably breached them already this week by downloading internet files, burning content onto a CD or installing software from a floppy disk.

With 60 per cent of all network attacks coming from inside the company, employees represent the single largest threat to network security, says researcher IDC.

"Companies are just not aware of this," says Thomas Raschke, IDC programme manager for European internet security. "Firms tend to trust their workers too much. They need to wake up."

Certainly, few companies have addressed the threat of internal security breaches, according to a report from consulting group Ernst & Young. While 90 per cent of those surveyed were concerned by the threat of significant fraud by employees, just 10 per cent were confident that adequate controls were in place to prevent it.

Through the corporate network, employees can often tinker with everything from the application server to the web content management system. It only takes one disgruntled employee to abuse his access rights and damage the organisation.

Even quite junior employees have the potential to cause significant damage, says Jan Babiak, a partner with Ernst & Young's IS advisory service. "Passwords and monitoring can be naive if not properly directed. Quite often, junior employees can get right back to the Unix box and do the damage from there."

Managing internal fraud may be complex and expensive, but it's certainly cheaper and easier than cleaning up after a major security incident, says Graham Titterington, senior analyst at Ovum. "There are a lot of holes that are not being addressed and people are not identifying their main priorities," he says.

First line of defence

The first priority is to work out exactly what information could be vulnerable to attack and how far you're prepared to go to protect it. In other words, is your organisation prepared to fork out £50,000 to protect files that contain nothing more sensitive than an internal phone directory? Files containing customer records, on the other hand, may justify top-level defences.

This type of risk assessment should give managers a clear map of company information and identify 'hot spots' that require urgent action. For large organisations, assessments can be automated using products such as Insight Assessment, which seeks out unprotected data on a network and creates logs of user access rights. However, such tools are limited and the results need to be examined by skilled assessors who understand the qualitative value of information.

Assessors should also be screened carefully, to reveal their own attitudes to fraud. While most managers are aware of workplace fraud, 40 per cent wouldn't blow the whistle on a colleague, according to research from consulting firm KPMG.

Risk assessment will provide companies with an idea of where action is required and, as such, is only the first step, says Charles Cresson Wood, author of Information Security Policies Made Easy. "The risk assessment will only tell you what fraud is," he says.

Addressing fraud in the workplace should begin with a policy document providing general rules for employees using computer systems. Recognised technical standards such as the BS 7799, the code of practice for information security management, can be a useful guideline for such policies.

The importance of policies

It's also important to ensure that employees are aware of the policies, as well as the penalties for breaching them.

Policy documents are largely common sense to IT departments - don't download executable files, don't send attachments, save sensitive information to the server and change default passwords - but don't assume employees will feel the same way.

IT departments are often among the worst offenders. It is worth bearing in mind that 50 per cent of firewall breaches occur when default settings are left unchanged, and 70 per cent of companies don't even know when or how often their security policy is revised, according to analyst Datamonitor. "The biggest problem is that people are lazy," warns Raschke.

Policies should be backed up with good working practices. Implement log-on passwords for PCs and check that end-users are keeping them secure.

"Check if people use obvious passwords, and make sure they don't write it down and stick it on a post-it note next to their keyboard," says Titterington.

Passwords can be supplemented with basic security features from $10 per desktop. However, large organisations should consider spending more where appropriate.

Biometrics, such as finger scanners, can protect entry to the system. Prices for such systems have fallen dramatically and they are now available for about $20 each. European spending on biometric products will increase from $80 million in 2000 to $550 million in 2004, $300 million of which will be spent on finger-scanning products, according to IDC.

Smartcards can also identify users electronically, and IDC estimates that spending on these products will reach $550 million by 2004.

Watching the workers

Once employees are logged on, monitor their actions. While civil libertarians may disapprove, 67 per cent of employees admit lying to their boss on occasion, according to KPMG. Monitoring products can 'sniff' network traffic to detect changes and compile reports for system managers.

Web-filtering tools can also detect employees accessing non-approved internet content, and can be tailored to alert managers to high-risk email or internet activities.

Even with monitoring systems and policies in place, the experts' advice is 'never relax'. According to Titterington, every PC is a potential point of vulnerability. "Every time someone inserts a floppy disk into their A drive, you don't know what they have on it. Just remember, you are much more involved with human factors in the internal situation."

REUTERS

Reuters' policy on internal security focuses on the adage 'trust and verify'.

The winged sculpture over the entrance to Reuters' Fleet Street office was once charged with sending forth news to the four corners of the earth. Today, it's just as likely to be checking out visitors for suspicious activity.

"Don't trust anybody, inside or out," is the motto of Tim Voss, Reuters' global IT security risk director. The company has introduced a series of tools to ensure that information is passed securely to its 548,000 users in 52,400 global locations.

The data that Reuters provides on shares, bonds and other financial instruments is used as the basis for high-ticket investment decisions. The integrity of this information is therefore paramount - a fact that Reuters has put at the centre of its strategy.

"The biggest challenge for Reuters is the theft of intellectual property. We were concerned that people who might have access to this information could use it without paying, so that's where we concentrate our efforts," says Voss.

To reduce the risk of internal security breaches, Reuters began by assessing the value of information available to employees.

When Reuters first began to monitor internal network activity, it rejected off-the-shelf products in favour of a bespoke system. It took seven software engineers four years to create the resulting network management system. Now in place, it allows the IT department to collate information on network activity and define alerts that, once triggered, can be analysed in real-time.

With hindsight, however, Voss considers that a packaged solution might have been more effective. "If it can be done off-the-shelf, it means that my software engineers can test instead of develop," he says. When Reuters installed virus scanners on the desktop, it opted for a packaged solution including anti-virus software, file servers and network boundaries.

Reuters has also spent several million pounds on Symantec's Enterprise Security Manager to allow closer monitoring of internal changes to system configurations.

Employees who make changes to the Reuters network are monitored internally and externally, through a series of data centres. The company also has an investigative department which examines employee activities for potential security breaches, and works with law enforcement agencies when problems occur. "We've been very effective at monitoring internal fraud and bringing it to book if it does happen," says Voss.

Voss himself isn't exempt from the watchful eye of the security team. "Even in my department, I have one department that codes and another that verifies it. You have to be that particular when dealing with the size of numbers and revenue that Reuters supports. I think 'trust and verify' is a good phrase when it comes to internal security."

Project Profile

Company: Reuters
Business aim: Maintain integrity of shares, bonds and other financial instruments
Products used: Bespoke system and Symantec's Enterprise Security Manager
Successes: Internal fraud reduced
Lesson learned: Commercial applications can have flaws - test them

BARCLAYS BANKRisk-assessment to avoid an inside job

Having 75,000 employees share systems with £3.5 billion-worth of customer cash, and the UK's largest internet bank is something of a security nightmare. And a hefty £325 million IT budget doesn't help David Morgan, group head of IT security at Barclays, rest any easier.

"There's no such thing as 100 per cent security - even if you gave me all the money in the world," Morgan says. "The risk profile in the electronic world is increasing, so the most important thing for large corporates is how to manage when they need to react."

Barclays has more experience than most of the risks in keeping data secure. The bank famously implemented a software upgrade to its online service last July. After seven customers reported they were able to read other customers' account details, the upgrade was quickly dropped. Following a thorough review of its processes, including code checking, internal testing and ethical hacking, Barclays finally reinstated the upgrade in January.

The lessons learned from that highly public slip-up are now central to Barclays' internal and external security procedures.

Half of the company's IT budget will be spent this year on security-related initiatives, including a complete reorganisation of internal security staff. The company aims to have a pool of staff that can be assigned to various divisions to address security projects.

Morgan has also engineered the group's IT security policies using the BS7799 standard as a benchmark. Barclays used external auditors to scrutinise the new policy and benchmarked its results against the rest of the banking industry.

The policy relied on a thorough risk assessment, which valued particular pieces of information. "There are no hard and fast rules," Morgan says.

"The company often takes a more relaxed attitude to lower-rated data, but is tight as a drum with sensitive customer records." Morgan is quick to point out, however, that policy guidelines are worthless without an educated workforce. Barclays has introduced training awareness campaigns for its staff to ensure that internal security policy becomes good working practice.

The company has also worked with key strategic suppliers to ensure that policies are backed up with solid monitoring and prevention systems. Virus protection software is provided by Symantec and Network Associates. These two suppliers provide the bank with a double level of security, explains Morgan. In addition, multi-tiered virus protection means the bank is able to hit rogue viruses at the firewall, mail gateway, local area network and the desktop - catching those viruses that originate inside as well as outside the company walls. Barclays also uses a newsgroup-monitoring service, which provides monthly reports and alerts so the bank can check the surfing habits of its employees.

Barclays is also prepared to wait while key security tools mature. Morgan says that the bank, along with Barclaycard, has undertaken prolonged research into public key infrastructure. He hopes that such technologies can bring more secure access to information channels. "Inevitably the distinction between internal and external security technologies will be removed," he says. "Our staff are not that different from our customers, it's just that they have greater access privileges to our applications."

Project Profile

Company: Barclays Bank
Business aims: Tighten internal security policies based on a risk-assessment
Products used: Applications from strategic suppliers, including Symantec and Network Associates
Successes: Close monitoring of staff
Lessons learned: Quick reactions are key to effective security management

MEMEC

Memec opts for bespoke system to stave off security breach

Security is viewed as a core element of the business at semiconductor distributor Memec. However, the company has shied away from implementing dedicated internal monitoring systems, says Richard Gifford, Memec's IT director.

"Internal security rests hand and glove with business," he says. "We don't tend to run into initiating big IT projects."

Memec's 5000 employees have various levels of access to a bespoke system database, which is divided into three regional systems. Various levels of access are granted using passwords, so a country director in Europe can only view information within a particular area of the network. This, in parallel with intrusion-detection systems, prevents unauthorised access to corporate information.

While there is some focus on controlling employee access, Gifford admits that his company has no way of preventing a disgruntled or disloyal employee from printing out sales information from the network before selling it to competitors.

The company believes that technology has yet to deliver a system which can completely eliminate this kind of deliberate employee fraud. "It's going to be difficult trying to stop a guy passing trade secrets to a competitor in his local pub," Gifford says.

Instead, the company relies on the semiconductor industry's degree of self-regulation. "If we had three engineers working on a design, and all of a sudden it has gone to our competitor at the last minute, I think that would set alarm bells ringing. There's no formal system - it's more of an informal process really," Gifford adds.

In addition, Memec is often the sole distributor of its products, making industrial theft less likely.

To Gifford's knowledge, information has not been leaked from the company so far, and continued company-sponsored risk assessment suggests that employee fraud remains a low risk. For this reason, Memec sees little point in deploying elaborate internal security processes.

That doesn't mean Memec doesn't take security seriously. The company is able to run full audit trails using a bespoke alert system, which is monitored by exception. This provides Memec with a method for tracking user behaviour in the company's hosted Unix environment.

In addition, as part of a company-wide security review, Memec has installed mail sweepers and virus sweepers at its four control points to the internet to protect against virus infection. It also limits employees to business websites.

The company has recently introduced RSA's remote ID system. Remote users use this system to enter the local area network, and then use a password to access their data. This represents a further level of security, but Gifford recognises that more could be done. "I'm sure there's more we can do, but at the end of the day it's a business risk; it's the board's decision."

Project Profile

Company: Memec
Business aims: To keep security tight, without spending big
Products used: Bespoke system database, intrusion-detection systems and RSA Remote ID
Successes: Information has not leaked from the company
Lessons learned: Security and business linked