Governments May Overlook a Potentially Great Threat: Their Own Employees


As IT organizations shore up their systems against attacks, many state and local governments overlook a potentially greater threat: their own employees.

Dangers lurk within your perimeter, not only in the form of nefarious employees, but also (and more commonly) in careless workers or users who are unaware of or disregard proper security practices. Although security technologies are key, a layered defense alone won’t protect you. IT must also pay attention to the organization’s people and what they’re doing on the network.

The enemy within is the silent killer of our business, according to Mark Weatherford, executive officer for the Office of Information Security and Privacy Protection in California. Just look at what happened this summer in San Francisco when one employee essentially hijacked the network by denying city leaders access. The network administrator’s refusal to hand over passwords cost the city more than $1 million. This case is an extreme one, but smaller incidents happen more often than we care to admit.

For starters, mitigate the threat by performing background checks on IT employees, as the state of Pennsylvania does. “The Office for Information Technology vets all new employees and conducts criminal background checks as a standard part of the hiring process,” says CIO Brenda Orth. “More stringent vetting processes are conducted when agency requirements are elevated, or where there is heightened sensitivity or confidentiality of the data or systems being supported.”

Background checks would have helped in San Francisco’s case. According to news reports, the employee had previous convictions for aggravated burglary, aggravated robbery and theft, and spent four years in prison. Such experience doesn’t bode well for entrusting someone with sensitive citizen and financial data.

Trust Needn’t Be Dangerous

Many states have made significant strides in stopping the use of Social Security numbers as identifiers, the Identity Theft Resource Center reports.

People inherently want to trust others and don’t want to believe a colleague would intentionally harm the organization. The solution? Trust, but verify. Develop strong network configuration management processes and separation of duties, revisit change control procedures, closely scrutinize log files, and deploy employee monitoring and anomaly detection tools.

“It’s important to remember it doesn’t have to be a disgruntled employee,” says Weatherford. “Inattentive, lazy and cavalier employees are responsible for most of the insider security and privacy-related problems. That’s where knowing your people and immediately correcting bad practices can mitigate potential problems.”

You cannot diminish the importance of training employees in security risks and how to take proper precautions with sensitive information, such as using full-disk encryption. In fact, Pennsylvania Chief Information Security Officer Bob Maley mandates that all state employees go through security awareness training every year to familiarize themselves with risks, such as phishing attacks.

That’s good news, because the bad guys aren’t going away. The Identity Theft Resource Center predicts a flurry of targeted attacks on organizations this year. One challenge is that organizations that collect personally identifiable information may be cutting IT security staff. At the same time, thieves continue to hone their hacking techniques and other methods of illegally snooping for data, the organization reports.

In the end, sound security hinges on deploying tools that let IT vigilantly monitor behavior on the network, not the people, and then reaching out to users about how that behavior keeps data safe from would-be intruders at the network gate.

Jim Shanks is executive vice president and former CIO of CDW.

Jan 15 2009