SECURITY CONSULTANCY HELPS FIGHT THREAT FROM DISGRUNTLED EX-EMPLOYEES Tuesday 19 June 2001 PDF Print Digital security consultancy @stake reveals that the current wave of hi-tech redundancies is opening-up another vulnerability that puts UK businesses at risk UK businesses are failing to take adequate security precautions against disgruntled ex-employees using company IT equipment and inside knowledge to commit digital sabotage. With a greater percentage of business being conducted over the Internet, more workers handling affairs from remote offices and an increasing amount of important company information stored on company servers, organisations are vulnerable to misuse of their digital information or resources by former staff. To help companies avoid financial loss and immeasurable embarrassment caused by these actions, digital security consultancy @stake (www.atstake.com) has created a set of guidelines that should limit this new risk. @stake stresses that vulnerable companies may unwittingly enable ex-employees to expose commercially sensitive information, such as pay structures, business plans and valuable product information or simply allow unrestricted access to IT resources at the company's expense. Even ex-employees with no technical expertise, armed with just an Internet-ready PC, can profit from their former employer's lax security policy. Failure to disable passwords and accounts, relaxed rules for the return of company laptops and the exploitation of ex-colleagues' multiple-user accounts are all identified as potential security holes by the experts at @stake. Sandra Baccari Edler, Senior Research Analyst at IDC commented, "One of the most often over-looked and under-estimated risks to the security of any company is, quite simply, its people. Securing a company is an on-going process that only succeeds when individuals in the organisation embrace the security policies that are set out for them. Because most companies struggle to maintain a proper level of security with existing employees, the tendency to overlook the potential threat posed by ex-employees can be quite strong." Royal Hansen, practice director Europe @stake commented, "It's no secret that, in the past, companies may find that a few pens, folders or even a laptop may go missing as an employee is shown the door. Today, we are increasingly finding that, as well as physically clearing their desk of its contents, employees are emptying their former company's documents, databases and spreadsheets of confidential data, long after they have left their company car keys behind." "Companies can greatly reduce this threat by taking a few sensible steps, such as ensuring accounts are shut-off as soon as a member of the company leaves and making regular checks on their network perimeter to log all connections. These simple measures should deny access to the majority of non-technical ex-employees who may be tempted to use company resources and subscriptions at great expense to the company." Hansen continued, "Most importantly, this vulnerability highlights that IT security is predominately a people issue, rather than a product issue. Costly security measures will do little to prevent the risk of ex-employee's compromising confidential data, compared to having an agreed policy in place that can be implemented as soon as an employee leaves a company. We have outlined a set of realistic measures that should help companies protect data and resources from disgruntled individuals." @stake's guidelines to limiting the threat from disgruntled ex-employees Patrol your perimeter - Companies should regularly make security checks on their network perimeter, building a log of all the connections. Armed with this knowledge, as soon as a member of personnel leaves, the company can identify the holes in the network that need to be closed-off. Roll-call of company equipment - Laptops owned by the company give employees an excellent tool to start their attack. A regular stock-take of all IT equipment and the member of staff borrowing the equipment will make it easier for a company to identify the equipment to re-call after staff cutbacks. Check for unofficial accounts - Employees may have set-up their own accounts, other than those allocated by the company, which may go unnoticed when the employee leaves. A regular inspection will alert the company to any new accounts. Terminate user accounts - Companies should have a routine of simply turning-off access to a user's account once they are no longer employed. Disable passwords - Companies should have a policy of expiring the passwords of employees immediately after departure. Careless talk costs - There should be a realistic policy in place to ensure employees do not pass-on updated passwords to ex-colleagues or allow them to share a multi-user account. Companies should ration multi-user accounts to situations where business benefits outweigh security risks. Work together - The IT manager should work with other relevant departments, such as Human Resources, to ensure the smooth implementation of a planned IT security procedure. -ends- About @stake: @stake works where business and technology intersect, because that is where security is most powerful. The firm integrates technical and business expertise to build security solutions that look beyond the network to the security of applications and data, and future business goals. @stake couples vertical industry expertise in three areas-- financial services, communication service providers and e-markets-- with pioneering research, to design and build strategic security solutions that enable the electronic business initiatives of its Global 2000 clients. Amidst other providers for whom security services are a way to sell products or drive the sale of broader service offerings, @stake stands out with its dedicated focus on security consulting services and the unmatched calibre of its people. @stake security consultants and research scientists built their expertise at premier organisations including the L0pht, Cerberus Information Security, DERA, the National Security Agency, Axent, BBN, Deloitte & Touche, Open Market and RSA. @stake matches its unparalleled security talent with equally strong vertical industry and business expertise drawn from Sapient, Cambridge Technology Partners, Arthur Andersen, Fleet, Fidelity, Exodus, Nortel and Interpath. For further information go to: http://www.atstake.com Contact Brodeur Bfour Matthew Ward email@example.com Tel:+44 (0) 1753 448875 Lena Ahmed firstname.lastname@example.org Tel:+44 (0) 1753 448861 IDC Sandra baccari edler, senior research analyst IDC Amsterdam, Netherlands email@example.com Direct office tel: +31 (0) 20 408.9532 http://emea.idc.com or http://www.idc.com ______________________________________________________________________ Click on the link below to see this news release as it appears on the Brodeur News Room website and obtain full contact details. http://www.brodeurnewsroom.com/asp/release.asp?rid=1564&cid=... ______________________________________________________________________ Click the link below to login and update your company and subject preferences, or personal details. http://www.brodeurnewsroom.com/asp/login.asp ______________________________________________________________________ Click on the link below to have your login details re-sent to you. http://www.brodeurnewsroom.com/asp/forgot.asp ______________________________________________________________________ This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.