The missing factor in an effective information protection program is employee involvement. Many organizations go to great lengths to develop an extensive set of controls and countermeasures, purchase the latest technology, design in audit trails, and print out security logs…and still security fails.

Often times this is the result of not understanding the culture and direction of the organization and its employees. To develop an effective information protection program, it is helpful to examine “war stories” to see where controls failed in other organizations. Inevitably, these stories expose six key elements that lead to the breakdown of information protection programs.

The Big Six

Uncontrolled or Inadequate Access
An employee working for a manufacturing facility in the Midwest was passed over for a promotion. Wanting to know who was better qualified, he decided to access the human resources system. Once in the system, he found that employees were listed by job classification bands and then rated numerically based on their last appraisal. He felt that this was some good information, so he printed it out and then made enough copies to post on bulletin boards, coffee machines, and in the cafeteria. The investigation turned up who was responsible for the postings and, during his exit interview, it was learned that he had gained access by using the director of HR’s password. The HR director’s password was still the default, new user password – the first four characters of his last name.

In November 1988, Robert Morris, Jr., a graduate student in computer science at Cornell, wrote a self-replicating program called a worm and released it on the Internet. The program was flawed, and it began to replicate and re-infect machines at a much faster rate than he had anticipated. In 1988, there were almost 62,000 Internet host systems, and it is estimated that Morris brought down about 10 percent of those systems. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000. Today there are nearly 20 million Internet host machines and a worm of the Morris magnitude could cause genuine havoc.

The ability to control access to systems, data, and information is a vital element of any information protection program. As these examples show, this first line of defense is often easily breached and problems can occur.

Vague or Undefined Responsibilities
A large engineering firm was converting to PCs and having employees move mainframe applications to their desktops. Rules were changed and the customers were not informed. After about six months in the new processing environment, an office administrator called the help desk to request that her Excel spreadsheet be restored. The help desk directed her to the LAN administrator. The LAN administrator asked for her backup diskettes. She asked the LAN administrator about the backups that operations normally used to restore her old mainframe applications. Without the necessary backups it proved impossible to retrieve the Excel spreadsheet.

A construction firm in Atlanta had a rather lax backup and storage policy for diskettes. It seems that one weekend 50 diskettes disappeared from the offices. Of these 50 diskettes, 10 were considered to be crucially important. These 10 diskettes were so critical to the operation of the corporation that if they were not found the company faced the real possibility of going out of business. They were in the process of taking out an ad in the Sunday papers. They would offer a reward, no questions asked. Luckily, the ad never ran. The police discovered that a maintenance employee had taken the diskettes home and was reformatting them so that his kids could play games on their new home computer. “People don’t leave out important diskettes, do they?” was his defense. Just by sheer luck did this company avoid disaster.

Backups have always been a sticking point in the information systems environment. With the movement to distributed processing, the need for users doing and storing backups has increased. Often times, though, the users aren’t informed as to what their responsibilities are. If backups of a workstation are done at all, they are normally stored in the same area as the workstation and the same diskettes are reused.

Inadequate Training of Personnel
The use of e-mail in business is spreading rapidly, and in many organizations the e-mail system is now the place for office gossip and other conversations unrelated to work. Although some of the exchanged information on e-mail is personal or frivolous, the system also frequently carries vital organization information. The “information mix” raises many moral and business issues that must be addressed.

In a recent Detroit Free Press article, two companies that were in litigation because of alleged discrimination lost their cases because of e-mail messages uncovered in the discovery process. In both instances, private communications between supervisors contained language that was used by the plaintiff’s attorney to support their client’s claims. In each case, the message could have been just an off-hand remark made between two colleagues. These off-hand remarks cost each company financially and in their public image.

With e-mail, there is a false sense of privacy. But e-mail correspondence is as private as a post card. Many employees fail to understand the need to protect classified information. When working through the courts to determine if information is in fact a trade secret, the courts look for four keys:

1. There was some cost to develop this product or process;
2. The product or process will provide some form of competitive advantage;
3. The product or process is not generally known;
4. The information is kept secret both externally and internally.

Where most organizations fail is in the need to keep the information secret both externally and internally. Many employees fax sensitive information in clear text or will discuss such information over cellular or wireless phones. When this behavior occurs, the information is no longer confidential and becomes public domain.

Unnecessary Temptation
All too often employees are able to stay in a job assignment long enough to determine what would trigger an audit or review. One such individual worked for the federal government as an analyst. This person was responsible for reviewing expense reports and then submitting them directly to disbursement for printing. No one checked his work. In fact no one questioned any of his activities until a mortgage processor couldn’t make his assets match his earnings. This individual was paying almost solely in cash for a $350,000 home in the Washington, DC area, had a number of very expensive automobiles, country club memberships, original oil paintings, and was re-married with two children. He was able to afford all of this on a salary of $40,000 per year and while paying $1,000 a month in child support.

It seems that he discovered that many departments were not using all of their travel and expense money. With what little was left over, it seemed a shame to turn it back to the government so he began to create expense reports for himself. Over an 18-month period he wrote checks to the tune of $1.2 million. Had it not been for the mortgage processor, his scheme might never have been uncovered.

When it comes to the loss of company secrets, one of the most dangerous and hardest to spot threats is the trusted employee. The most likely candidates are employees who may have incurred large debts due to gambling habits, personal circumstances, or drug use. According to Insights magazine, 10 percent of workers are abusing drugs and/or alcohol on the job. Other reasons include involvement with labor/management disputes or individuals who have entrepreneurial personalities. The typical computer criminal is a non-technical user of the system or application who has been around long enough to figure out what would cause an audit.

Disgruntled Employees
During a corporate downsizing, a company’s LAN administrator was let go with two- weeks notice. Feeling that he was being treated unfairly, he decided to put a 4 megabyte cap on the system directory. Three months after he left, the office came to a halt until the problem could be found and corrected.

The Business Software Alliance (BSA) and Software Publishers Association (SPA) have installed hotlines to get and supply information on copyright compliance. Last year BSA got 7,000 calls on its hotline, about half of them were employees who wanted to report companies that were using unlicensed software. Of the calls to complain, nearly 500 resulted in cases with recoveries reaching almost $4 million.

The possibility that a disgruntled employee may provide problems for a company is a very real threat these days and needs to be addressed.

Password Problems
When Commonwealth Films, Inc., was shooting the video Mum’s The Word, the director was setting a scene that had an employee’s password taped to the side of the terminal. The technical advisor was concerned that what was being shown was outdated. The company where the video was being made had an extensive employee awareness program that stressed password security. Leaning into the cube across from the video setup, the technical advisor asked, “If you were going to post your password, where would you do it?” The woman pointed to a note on her workstation and said, “Mine’s right there.”

The Internet is also a threat to passwords. Password sniffer programs monitor a system’s network interface port and collect login information, including passwords. After the program is put into the system, the attacker is able to obtain privileged status on a target host system.

When doing an initial security review, looking for passwords may be no more difficult than turning over a keyboard, opening an unlocked middle desk drawer, flipping to “P” in a rolodex or looking for a note posted to the monitor.

Sensitive Information in the Trash
Stealing people’s garbage is easier than most people think, and it also provides a wealth of information. Most trash bins are placed with easy public access and the good spy will always dip in.

An owner of a bottled gas company in the Midwest proudly boasted to friends and colleagues that he “rooted around like a pig” in his competitor’s dumpster and was able to get their customer lists.

The 2600 magazine - the quarterly guide for the American hacker - ran an article on how to become a member of a contract cleaning crew to gain access to companies.

The Supreme Court has ruled that the Fourth Amendment does not prohibit the search of garbage placed outside the premises. It is legal! Many private investigators now openly advertise garbage retrieval services. Your trash is valuable, so encourage the destruction of all waste paper. Provide shredders to meet the needs of all employees, both at work and away.

What to Do?

Obtain senior management approval and support
Tie security issues to business objectives and/or the mission statement. In order to sell an effective program and get the buy in from senior management, it will be necessary to identify to them how this process will improve the organization’s mission. Every organization has a bottom line, find out what it is and make sure security issues are always discussed in terms of how they will support that goal.

Establish Enterprise-wide Policies
The key to any successful program is to have published policies. The policies must meet the needs and the culture of your enterprise and customers. When developing policies, remember to keep things simple – information should be short and to the point.

Implement an Enterprise-wide Awareness Program
It is vitally important to keep the message in front of employees. It is not sufficient to just publish the policies. Employees must be made aware of their existence. Annual policy reviews should be implemented for all employees. Because of the legal implications, contract personnel may need to review the policies during contract negotiations.

Implement an Enterprise-Wide Business Continuity Plan

Organizations must develop and regularly test business continuity plans. Aside from the legal and regulatory requirements, the investment in an effective BCP makes good business sense and supports the concept of protecting the corporation’s assets. A documented and tested BCP displays management’s due diligence in protecting stakeholders’ investment in the enterprise.

Monitor Compliance
Whenever a new security project is about to begin, the staff should take an evening or two and do a walk-about. Walk through the office environment and check to see the current level of compliance to some very minor security controls. During this initial review, check for five key elements:

• locked offices;
• locked desks and file cabinets;
• locked and password protected workstations;
• diskettes are locked in a secure location;
• any additional information is securely locked away.

These five controls will provide a good indication of the current level of concern over computer and information security. Normally the non-compliance levels during this initial review will be 90 percent and higher. Use this information to gauge the information protection program’s effectiveness by doing another walk-about after the program has been rolled out.

Another key element in the monitoring compliance is to establish a positive working relationship with the audit staff. Audit and information protection are concerned with the same issues. It can be very beneficial to work together to present a consolidated front in getting security controls accepted.

Make Compliance an Appraisal Item
Most employees are required to read and sign an annual conflict of interest statement. Work with the audit staff to create a similar document for information security. This document could be included with the conflict of interest statement and reviewed annually with the employees.

Summary

Just as steps are taken to protect employees, it is just as necessary to involve the employees in protecting information assets. Information must be protected from unauthorized access, modification, destruction, and disclosure. If the enterprise fails to do this, there will be a loss of customer confidence, competitive advantage, and ultimately jobs.

The message of information protection must be published and presented to the employees through an effective awareness program. This program must include regular reminders as to the need to protect corporate assets and who is responsible for protecting those assets.

Information protection is not rocket science. It is taking basic business principles and applying them to the information assets of the enterprise.