The biggest threat to businesses comes from the inside

10 Jul 2008

Devices like the new iPhone 3G are being hyped as the business tools of tomorrow. But firms don’t realise that employees are losing devices with valuable information to eagle-eyed, opportunistic thieves

Every year businesses spend millions of euro ring-fencing their computer systems with sophisticated firewalls to keep hackers and script kiddies – ranging from bored teenagers to vicious criminal gangs – at bay.

But, a leading computer expert says, the threat to IT systems from hackers is almost disproportionate to the damage inflicted on businesses from their own workers.

Threats range from executives careless with devices they are trusted with, such as phones and laptops, to disgruntled workers leaking sensitive information to competitors.

Last week it emerged that a former IT manager who cost the National Education Welfare Board an estimated €700,000 in unnecessary IT equipment and services had falsely claimed during an interview he had a PhD qualification.

Earlier this year, Ireland was rocked by the revelation that a laptop containing medical information on 175,000 blood donors belonging to the Irish Blood Transfusion Service was stolen in New York.

It subsequently emerged that a number of laptops belonging to Bank of Ireland Life and containing data on 31,500 account holders were stolen over a six-month period and not reported. In the case of Bank of Ireland Life, the laptops had no encryption to protect the data.

“These are just the tip of the iceberg,” says Rene Hamel, an expert on forensics at KPMG. “The amount of damage caused to businesses by employees not securing information or devices is hard to quantify because fear of adverse publicity means incidents are rarely disclosed.

“One point I’d like to make is that for all the investment companies make in IT security, it is not proportionate to the actual data they use for business. A company whose data is its life’s blood would typically spend less than 5pc of its IT budget on security or skills.

“The biggest losses to firms are often from an internal source. You will never see a hacker making €700,000 in a newspaper headline. While hacker stories have a sexiness, the reality is that huge losses in business are due to employees who leave the company with vital information they either give to competitors or use to start their own businesses.”

Hamel should know having been intrinsic to many investigations into corporate fraud. He has over 16 years’ experience of criminal investigations, including performing computer forensic examinations with the Royal Canadian Police, and has helped solve crimes ranging from murder to sexual assaults and serious fraud cases.

“I investigate a lot of crimes around white-collar crime and usually problems arise when an employee leaves on bad terms taking a client list with them. In one case, I looked at a financial company who had an ex-employee they suspected of taking a customer database and bringing it to a competitor.

“The case went to court and the rival company used the defence that the information on the database, such as names and phone numbers, could have been obtained easily from anywhere. The one thing they didn’t consider was the database had a field with codes that were used for sending marketing material or follow-up calls. This proved the competitor to be at fault and it resulted in a massive fine and adverse publicity.”

Such cases aren’t rare, he says,“They happen everywhere.”

Hamel reckons the biggest threat to IT security in the coming years is the threat from the loss of devices like smart phones and laptops. While it is one thing to lose a laptop, new phones ranging from the omnipresent BlackBerry to the Apple iPhone 3G, which launches tomorrow, can have as much as 16GB of storage.

This is more than enough space to store a company database many times over. Not only can they connect to the internet and make data transmission easy, their snazzy appearance as consumer devices makes them attractive prey for opportunistic thieves.

Some organisations are already getting proactive to prevent data breaches through these devices. The Department of Foreign Affairs has banned the use of BlackBerry-type devices.

“The department does not currently use BlackBerry or BlackBerry-type devices,” a spokesperson confirmed. “The department is reviewing the feasibility of introducing ‘push email to mobile’ devices, including their compatibility with the security requirements of its existing ICT network.”

The new iPhone 3G is not only an attractive consumer device, it is being viewed as a future business device for receiving email and mobile working, whether through sharing presentations or conducting e-business. According to Gartner, some 35pc of Fortune 500 firms are trialling iPhones for deployment among executives.

Because of their snazzy nature and the hype surrounding them, such devices are a glittering prize in the eyes of thieves. Hamel warns that astute organisations should be focusing on technologies like encryption to safeguard iPhones and similar devices.

“It’s a potential disaster. Companies spend a lot of money to protect their assets. The biggest threat today is not so much hackers but laptops assigned to employees who connect remotely. Many are failing to encrypt these devices.

“BlackBerry devices can be encrypted and if you lose one there’s very little chance you’ll recover information from it. The iPhone will have to do the same thing. There’s a lot more information on them, anything between 8GB and 16GB.

“I would hope that businesses considering using them have studied the encryption situation,” Hamel says.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years