Staff the weak link in security


17 Sep 2004

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Despite the growing threat posed by hackers and viruses, employees are likely to be the biggest security liability an organisation faces, a new survey has found.

“The way we work in the office and use our IT creates the greatest exposure to a breach of information security. Attacks from hackers and viruses get the most attention, but it is the behaviour of a company’s workers that can create the greatest problems,” says John Alcock, managing security consultant at Fujitsu Services, which conducted the research.

Alcock argues that by applying a more consistent IT security policy or even just making workers more aware of how their behaviour can expose the company to attacks, organisations can dramatically reduce the risk of an information security breach and at a much lower cost than buying security technology products.

Fujitsu Services identifies several weak spots that tend to be neglected by businesses. High on the list is the practice of plugging in personal devices, such as laptops or PDAs, onto a corporate network. So doing increases the risk of releasing viruses onto the network.

Other security no-nos include: allowing a new joiner or temporary worker to share a log-on account to the corporate networks, which can inadvertently give unauthorised access to sensitive information; letting home workers print out sensitive documents on the office printer; and failing to tell the IT department when an employee has left the company. This results in many ex-employees having remote access to corporate systems, which is particularly high risk if that employee left on bad terms; forgetting to lock your PC when away from their desk, which gives any person walking by access to all your e-mails and network drives; and maintaining an inadequate password policy.

By Brian Skelly