Manufacturers need to refocus IT security on the inside, warns threat specialist

Calum Macleod, European director at IT security specialist Cyber-Ark, points to a recent survey by the company, which found more than one third of IT administrators admitting to using privileged rights to access confidential information. He also claims evidence showing up to 90% of incidents relating to loss of assets resulting from staff that have privileged access to IT systems and applications. “Another interesting side note from [our] study is that 57% who were responsible for the fraud should not have had authorised system access at the time of the attack.” He also notes that 81% of organisations that are attacked experience a negative financial impact; 75% experience some impact on their business operations, and 28% experience a negative impact to their reputations. “I don’t know of any worm, Trojan horse, keylogger, virus, or whatever else that can claim that level of success,” says Macleod. He contends that most manufacturers’ IT security teams are too focused on perimeter security and are missing the “blended threat” of coincidental and premeditated attach from within. “The blended threats that pose the biggest risk are of a much more virulent strain than the odd virus or worm that finds its way to your PC. It’s the threat of the dishonest employee who steals information from your business and the opportunistic taxman who is willing to pay him for it. “Or it’s the employee who used to work in the back office and now works as a trader on your banking floor. It could be the former IT employee who had privileged access to your systems and still has remote access. Or the compliance officer who is being well rewarded for helping your competitor analyse your contracts. “The biggest blended threat today is the worm you’ve hired to do a job and sets about to damage your business,” insists Macleod. His advice is to ensure: End-to-end encryption of stored data and transmitted data User-to-user information exchange via a secure digital vault User-to-system, or system-to-user information exchange via secure digital vault using a secure file transfer Reduce the need for manual intervention Secure tamper-proof audit trail that cannot be modified by IT personnel Beyond these, he suggests: “Allow information owners to control who can access their data in the secure digital vault; allow audit to review who has accessed data, without actually being able to see the data itself; and allow IT administrators to perform backups and restores, and to manage quotas without having visibility of the data itself.” He also counsels users to provide reports on secure activity, and to establish capabilities to limit the sources from which external users can access the data over the Internet. “These requirements should be de-facto for any business, and it’s up to the business to take the lead and not continue to be dictated to by IT staff who don’t understand the business.”