CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

Government: Fighting Security Threats from Within

By Todd Wasserman

The term "internal security threat" in government conjures visions of malevolent employees sabotaging workstations for political purposes or out of spite, but in reality it's poorly trained employees who are more of a threat.

"I'd say 80% of the time the risk is from non-malicious employees," says Tom Jarrett, CIO for the state of Delaware. Jarrett offered this example: "I don't train you, and then you inadvertently do something that opens up files that shouldn't be made public."

While no one yet has offered a definitive monetary figure for all the harm reaped by internal security threats in government, many say it has increased of late.

According to the Journal of Computer Mediated Communication, there were fewer than 50 reported incidents of compromised records for state IT systems in 2004, but that number spiked roughly five-fold within the next two years. It's not only municipal IT systems that are at risk; state and local government IT operations reflect trends that are also prevalent in the private sector.

Khalid Kark, a senior analyst with Forrester Research, says that many private firms are including the potential costs of such threats into their IT budgets.

"This is a significant," Kark says. "I was talking to one investment banker who said his bank is having 100 incidents like this a quarter."

The rise of internal security threats
Analysts who track internal security threats in the private and public sectors attribute several common factors to its rise in recent years, including:

  • The increased use of contractors, who have no loyalty or vested interest in the government agency or firm for which they are hired.
  • Larger and larger networks, which offer more potential weak points to exploit.
  • Pervasive computing. BlackBerrys, iPods, and even cell phones are now capable of making off with relatively large amounts of data.

Nevertheless, it's usually the external threats like viruses and worms that get the press attention.

"It's one of those threats that tends to be overlooked," says Mary Gay Whitmer, a spokeswoman for National Association of State Chief Information Officers (NASCIO) in Lexington, Ky. In April, NASCIO even issued a press release urging such IT professionals to "Take action now!"

Government CIOs can take action
What type of action can government CIOs take? NASCIO offers several suggestions, including:

  • Trust, but verify A more accurate way to put this might be "trust, but don't trust." The organization suggests that CIOs diligently monitor employees by auditing email and Internet use, both of which can potentially uncover warning signs of questionable behavior. Concordant with this is to make a regular practice of executing background checks on all current and future employees. This also applies to contractors.
  • Make an example of those caught NASCIO suggests acting swiftly to expel and even prosecute employees who have sabotaged the system from within.
  • Include training in ethics along with general IT training The organization says such training "could serve as a reminder of the importance of integrity and the level of responsibility that accompanies IT access privileges."
  • Consider creating a Chief Information Security Office (CISO) position A full-time CISO is charged with monitoring all threats -- internal and external -- and can be an important buffer to protect IT departments from sabotage.
  • Close off universal serial bus (USB) ports The most direct way to thwart potential data thefts via iPods and other portable devices is to use configuration management to close such routes of entry. NASCIO also suggests issuing employees mobile devices that can be monitored and periodically audited.
  • Encrypt data This is another way to head off potential mobile device data thefts. Once encrypted, sensitive information is, in theory, extremely difficult to access.

In addition, Kark says IT departments should make sure they have processes in place to avoid data breaches. For example, "We tend to say you shouldn't give your password out to anybody," he says, "but then someone calls from your IT desk and asks for your password, what do you do?"

Still, when the main source of internal data breaches is untrained employees, many argue that training is the best weapon. As the state of Delaware's Jarrett notes, technical fixes only go so far.

"We spent a lot of time doing an effective job of closing our perimeter, but you can't stop everything," he says. "Anybody who thinks they've found a tool that 100% protects them is living in a dream world."

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently editor of Brandweek magazine.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"It's one of those threats that tends to be overlooked."

--Mary Gay Whitmer, a spokeswoman for the National Association of State Chief Information Officers (NASCIO)
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Mobile and Malicious
Playtime: 10 min 10 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service