Internal hacking poses silent threat for companies
.floatimg-left-hort { float:left; } .floatimg-left-caption-hort { float:left; margin-bottom:10px; width:300px; margin-right:10px; clear:left;} .floatimg-left-vert { float:left; margin-top:10px; margin-right:15px; width:200px;} .floatimg-left-caption-vert { float:left; margin-right:10px; margin-bottom:10px; font-size: 12px; width:200px;} .floatimg-right-hort { float:right; margin-top:10px; margin-left:10px; margin-bottom:10px; width: 300px;} .floatimg-right-caption-hort { float:left; margin-right:10px; margin-bottom:10px; width: 300px; font-size: 12px; } .floatimg-right-vert { float:right; margin-top:10px; margin-left:10px; margin-bottom:10px; width: 200px;} .floatimg-right-caption-vert { float:left; margin-right:10px; margin-bottom:10px; width: 200px; font-size: 12px; } .floatimgright-sidebar { float:right; margin-top:10px; margin-left:10px; margin-bottom:10px; width: 200px; border-top-style: double; border-top-color: black; border-bottom-style: double; border-bottom-color: black;} .floatimgright-sidebar p { line-height: 115%; text-indent: 10px; } .floatimgright-sidebar h4 { font-variant:small-caps; } .pullquote { float:right; margin-top:10px; margin-left:10px; margin-bottom:10px; width: 150px; background: url(http://www.dmbusinessdaily.com/DAILY/editorial/extras/closequote.gif) no-repeat bottom right !important ; line-height: 150%; font-size: 125%; border-top: 1px solid; border-bottom: 1px solid;} .floatvidleft { float:left; margin-bottom:10px; width:325px; margin-right:10px; clear:left;} .floatvidright { float:right; margin-bottom:10px; width:325px; margin-right:10px; clear:left;}
Before you log in to read the rest of this article, you’ll have to change your password. Six characters or more, and please, don’t use your birth date – your company’s information security may depend on it.
It’s a common practice at companies, requiring a personal password change, but how many employees actually know its importance, or know how potentially dangerous phishing schemes can be for their company?
Although external hackers consistently grab the headlines with attacks like the theft of 45 million credit card numbers from T.J. Maxx, a survey shows that the biggest threat to companies’ information security are the employees inside the companies themselves.
According to the Computer Security Institute’s (CSI) 2008 Computer & Security Survey of 522 computer security practitioners in the United States, 44 percent of respondents reported insider abuse of networks, making it the second most frequent form of security breach, slightly behind virus incidents (49 percent), but well ahead of the 29 percent of respondents who reported unauthorized access.
It’s more likely that an upstanding 20-year employee will access company salaries to better negotiate his pay than it is that a super-hacker will access your credit card files. Or, more likely that an employee will unknowingly give away the keys to your company’s information Ferrari by using a password that allows easy access for a hacker.
Qing Hu, an Iowa State University professor and chair of the logistics, operations and management information systems department, began doing research at Florida Atlantic University in 2003 in an effort to better understand the human factors that should be considered in security initiatives. What he found was that many times companies were having security problems not because they didn’t have sophisticated technology to protect their information, but because employees were not following procedures, or the company had a few bad apples eager to gain access to confidential documents for personal financial gain.
“Most of the employees are not even aware that there are so many different tricks that hackers can play,” said Hu, who is also a Microsoft-certified systems engineer and solution developer. “External hackers employ the weaknesses of human beings in organizations.”
While those employees are unknowing contributors to security lapses, other workers have a more malicious intent.
Hu cited one company, a gaming Web site that required customers to buy credits, which they could then use to purchase game money in order to play the game. An employee inside the company began issuing game money to his friends, and his friends turned around and sold the game money on eBay for real cash.
Hu said that is just one example of the more prevalent than reported internal breaches that happen (see sidebar about why incidents of internal abuse are underreported). A common occurrence, he said, is employees accessing documents and company secrets to sell to competitors.
“Employees are motivated by the financial benefits,” Hu said.
What kind of employee does this?
Hu recently set out with colleagues in the United States, China and Finland to try to identify what induces employees to commit internal fraud or restrains them from doing so. The study surveyed approximately 200 employees in an effort to find out what personality and psychological profiles would make people likely to commit an act of internal abuse.
Each participant was first asked personality questions, then asked to pretend during three scenarios: Would you look up payroll data to negotiate a better salary, steal a commercial secret and sell it, or help a friend in the company by accessing restricted information? The participants were each given varying levels of potential punishment if they were caught, and then asked if they would partake in each of the acts of internal misconduct. Then, Hu said, the responses were associated with the personalities to build the personality profile of someone who is likely to answer he or she would commit the act.
The results were quite surprising to the researchers.
Up to that point, the philosophy of management was to deter employees from committing internal fraud through punishment.
“But what we found in this study is that it is not the punishment that deters people, it is how attractive or how benefiting it is if I conduct a breach,” Hu said. “So it is the positive motivation, not the negative deterrent, that most likely induces people to commit security fraud.”
The study showed Hu that two personality traits characterize people who overestimate the benefits of conducting computer fraud: low moral beliefs and low self-control.
“We know of some people that have real strong self-control, which means they don’t do things impulsively, they don’t take risk without careful calculations,” Hu said. “And there are types of people that have very low self-control, and will make a decision without much thinking.”
Low self-control, Hu said, coupled with low moral beliefs makes someone more likely to commit fraud, because they are less likely to even consider the punishment that serves as a deterrent to someone who does consider the risks.
“So that tells me that punishment does not solve the problem,” Hu said. “And if you just have strong policies that say we are going to fire you or send you for criminal prosecution, then that will not solve the problem.”
How to combat fraud
On the assumption that the companies in question have solid information security technology in place, and strong records and monitoring processes, Hu offered three recommendations based on his research of ways to reduce the number of internal security abuses.
Hu recommended that companies reduce the attractiveness of the information and data stored on its server, thus making it less beneficial for internal and external abusers to commit fraud.
“Anything that I don’t need to keep on my server I should not keep there,” Hu said. “Let it be other people’s problems, not your problem. It reduces the perceived benefits of attacking you.”
He offered the common practice of storing credit card numbers on the server as something companies could eliminate. He said companies don’t need to store credit card numbers and can dump each number after it’s used in a transaction.
“Unfortunately, many companies believe that they need that credit card number on their server,” he said. “So they keep accumulating the numbers, then one day they are stolen, they were breached, and then they are in big trouble.”
And what about the trade secrets or confidential data that companies must keep on their server in order to conduct business?
“Sometimes you have a secret design, or pricing, or cost figures that you have to keep,” Hu said. “In that case you have to ask, how do I increase the moral belief of employees?”
Hu said developing a company culture that emphasizes being a good citizen and demonstrates that the company intends to do good not just for itself, but first for society, can help reduce the potential for internal abuse.
“If the company has a culture that says profit, everything is profit, profit, profit, then they are going to have a very low moral standard in their company,” Hu said. “Then they are going to have more people inside of their company that are potential abusers of their own system.”
Hu’s last recommendation was to do some psychological screening of new and existing employees to help keep employees who demonstrate low self-control from being put in a position that entices them to commit internal fraud when they otherwise wouldn’t.
“If you have low self-control, that doesn’t make you a criminal; they might be very productive employees,” Hu said. “But they probably will be tempted more easily than other people, given the opportunity. So if you keep them in other positions where they don’t have easy access to those kind of things, then they will probably be wonderful employees for your company.”
The future?
Companies are aware of the security issues, Hu said.
“It is not that they are basically covering their eyes and ears, and saying I don’t know security and I don’t want to listen to it,” he said.
According to the CSI survey, 82 percent of companies are now engaging in information security awareness training of some sort.
“You have to let the people understand not just that security is important – everybody will tell you security is important and nobody will say security is not important – but understand there are many different ways security breaches are conducted or perpetrated so that people can be more cautious,” Hu said.
Hu said the next step companies should take to better deal with internal security issues is to follow his recommendations based on his research for employee screening, improving the company culture and reducing the attractiveness of information on the server.
“I think this is the level that has probably not really gotten into the normal thinking of management yet,” he said.
Hu said he would like to do more research into the ways companies can influence employees not to commit acts of internal abuse, and also keep employees more vigilant about security – and remembering the importance of changing a password.
Oh, and please don’t try to access my Business Record computer. I promise, my password isn’t 040887. I just reset it last week. Just don’t ask my sister her birth date … backwards.