Employees: The Weakest Link

Whether the data breaches your company endures are due to employee ignorance or lack of vigilance—or whether they are malicious—chances are they were caused by an internal source.

That finding is backed up by a 2007 study from the Computer Security Institute, a group serving information security professionals. The study found that insider abuse of corporate networks or e-mail was more prevalent than companywide virus attacks promulgated by external sources.

“It’s the ignorance factor. Many employees just don’t recognize the consequence of their actions,” said Natalie Lambert, a senior analyst at Forrester Research of Cambridge, Mass.

Lambert points to an example from a few years ago when, as part of a research project, she downloaded the music-sharing software Kazaa and searched “.xls,” looking for Microsoft Excel files.

“You would be shocked at the type of information I found,” she said. “It certainly wasn’t employees’ intent to share human resources documents, for example, but I found them, along with plenty other confidential information.”

Security and storage keep midmarket managers awake at night. Read why. 

It’s often that type of situation—in which no malicious intent was intended—when problems result. Other unintentional employee actions that can lead to security breaches include inadvertently downloading malicious code by visiting an insecure site or copying files to a thumb drive but taking sensitive data without realizing it.

And then, of course, there are malicious actions by external hackers who use innocent internal employees as foils. Instead of trying to break through increasingly advanced security schemes, hackers are now targeting attacks at internal sources by sending them phony e-mails, posing as an HR manager or IT manager and requesting valuable information. Once an employee divulges that information, a hacker can easily infiltrate the system, said Ron Teixeira, executive director of the National Cyber Security Alliance.

The practice is so prevalent that a study conducted by Trusted Strategies, which analyzed data of cases prosecuted by the Department of Justice between March 1999 and February 2006, found that 88 percent of cyber-crimes against corporate networks were caused by the hacker or criminal obtaining an employee’s ID and log-in information through methods such as phishing e-mails or password-cracking programs.