Top 5 Risks caused by employees’ actions
on
June 15, 2010
Employees generally do not mean to harm the organization for which they work; however, sometimes due to a lack of due diligence or even lack of education on security employees might pose a grave security risk to an organization. Below is a list of risks that a business could face due to an employee’s actions.
1. Insider intrusion
- Employees tend to hate remembering passwords especially if they’re forced to change it periodically. Many times they get around this by simply writing the password down and sticking it to a monitor thus giving other employees who might have bad intentions ammunition
- Talking with their co-workers about their password policies
- Opening shares and not properly securing them
- Unintentionally executing Trojans
2. Virus Infections
- Bringing software into the company from home on portable storage together with a virus infection
- Accessing sites that are infected while at work
- Downloading software
- Opening shares on their machine without proper security
3. External intrusion
- Installation of a Wireless Access Point
- Using company infrastructure from a public computer in an internet café while travelling
- Falling victim to phishing, social engineering attacks
- Unknowingly installing Trojans
4. Stolen data
- Sending confidential data home (even innocently to continue working from home) where this, in turn, gets intercepted on the way or stolen from the home computer which some hacker might previously have compromised
- Losing laptops or pen drives with confidential data
- Not encrypting confidential data
- Installing software infected with malware
- Mistakenly share confidential data after installing P2P software
5. Legal Liability
- Downloading copyrighted material
- Sending jokes via email that might be racist or discriminatory
- Accessing pornographic content from work which might be illegal
- Posting slanderous comments on forums from work
In most of the cases educating employees can help reduce the indents listed above to a minimum. Periodic network monitoring and access control can also help protect against incidents such as unauthorized software installation.
Have you encountered other scenarios which are not listed above? Feel free to leave a comment and share your experiences.
We used to have to bring home some of our work but due to the vulnerabilities these actions present, our office decided to subscribe to a remote desktop control service. It’s a bit of an inconvenience especially if the connection is slow but I guess this is a safer way. Right?
I’m not really sure where to direct this question. I’ve had it for sometime now, but only remembered it again while reading this article.
With regards to keeping data as accessible to the most relevant team members as possible (most especially when it comes to group oriented projects) what’s your take on sites that offer services such as Backpack or Google Wave? I’ve recently realized that such sites may not be as secure as we may think, but are designed to cater to the business-minded individual.
We’re actually considering switching to that system now. With a lot of our work being brought home, (and most of the staff constantly losing their flash drives), we’ve brought up the idea of implementing a remote desktop control service. The connection issue is, of course, one of our primary concerns, but we’re hoping to conduct a number of field tests before going all in on this.
But how has it been on your end so far?
We’ve actually run into some concerns with point number five; more specifically, “sending jokes via email that might be racist or discriminatory.”
I know office humor does lighten the mood quite a bit when you’re really in the crunch of things, but it’s hard to gauge the appropriateness of a lot of punch lines if you’re not quite sure what kind of background a lot of your officemates are coming from.