Bugwatch: Tackling the enemy within

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Craig Pollard, head of security solutions at Siemens Communications, argues that workstation lockdown, network usage monitoring and old-fashioned indoctrination are the keys to combating network security failures brought about by careless staff.

Recent surveys looking for the number one reason behind IT security breaches point an accusing finger at staff abuse of workplace IT systems, one of the more recent and memorable examples being civil servants using the web to access offensive or inappropriate material.

Such stories project a less-than-responsible view of staff when it comes to using IT at work. Whether intentional or otherwise, from an abuse of trust or an abuse of understanding, the misuse of a network by a workforce dangerously undermines its integrity.

So what can IT managers do to stamp out the problem of IT asset misuse and the security dilemmas this presents? Desperate times call for desperate measures, and any IT manager could be flirting with disaster by not instigating a vigorous set of monitoring and access controls across every facet of an enterprise network.

This must involve locking it down and preventing the type of security calamity that occurs when a hapless employee downloads a free mpeg, or stumbles onto the wrong website during their lunchtime surfing session.

Draconian? Perhaps, but also practical. The harsh reality of dealing with human error and IT now dictates that an enterprise must deploy measures to control and monitor what its workforce can and cannot do with the network.

Email filters to flag up messages containing attachments, obscene content or confidential content, stringent and restrictive web access, controlling workstation user rights to slam the door on downloading 'harmless' software and games all play a significant role in curtailing the damage done by staff who don't know any better when it comes to protecting the integrity of their network.

Likewise, logging, archiving and analysing activity and security-related events like email and web usage information show IT gatekeepers where and how the network is being compromised and who (intentionally or otherwise) is doing the compromising.

What some might call IT networking's answer to Big Brother in fact gives a precise schematic on where a network is coming undone and who is doing the undoing. It's hardly an Orwellian nightmare of constant surveillance, but rather a necessary response to the myriad threats that an enterprise must now fend off to preserve its network and its productivity.

The effectiveness of such measures, however, will all be for naught if not accompanied by focused staff training in security. Too often, information security is seen as purely a technology dilemma. A robust IT network can still be undone by an inadequately trained and uninformed workforce that is unaware or unwilling to accept its responsibility in network security.

This emphasises the importance of teaching staff of the hidden threats they can encounter, and making them adhere to an IT 'code of conduct' to cover their network use and prevent potential security incidents before they happen.

Without co-ordinated staff education, training and awareness programmes, information security can at best only operate at 50 per cent of its effectiveness. Training is therefore as essential in a network security policy as the most cutting-edge virus patch or state-of-the-art email filter software.

Only in this way can organisations act now and act forcefully to meet and defeat the threats they face from the enemy within as well as the enemy without.