Direct Link to Globe Article

The weakest link
RAF BRUSILOW

Special to Globe and Mail Update

Think hackers and viruses pose the biggest security threat to your corporate data? Think again. If sensitive information leaks out, chances are it'll be because someone in your office let it happen.

While it's true that deliberate sabotage campaigns by disgruntled malcontents aren't as improbable as most executives would probably like to think, more often than not, security leaks result from simple staff carelessness and bad habits born of inexperience and indifference. Whether it's choosing easily hackable passwords or copying confidential information without authorization, employees ranging from front-line desk jockeys all the way up to top executives are guilty of contributing to corporate computer security breaches.

The most recent Deloitte & Touche global security survey reveals that last year nearly 75 per cent of data leaks reported by businesses around the world happened either internally or through insiders who had some outside help or influence. Yet, only 65 per cent of businesses surveyed worldwide report training their employees in matters of data security, with a paltry 6 per cent providing education or awareness training to newly-hired employees.

The message is that for every penny counted in the business world, a piece of information is potentially slipping away. "A significant amount of data losses are things that could have been protected by better procedures," says Howard Schmidt, a former co-chair of U.S. Homeland Security who also worked as chief information security officer (CISO) for both eBay and Microsoft. "For example, there's often a striking lack of encryption when it comes to sensitive data. What happens if an employee copies sensitive information onto a CD and then leaves that CD in a coffee shop? Having a policy that prevents data from being copied or e-mailed away is just as important as making sure your passwords are safe."

With a recent Omnibus poll showing that 59 per cent of Canadians use easily hacked passwords such as names or birthdays in the workplace, it's clear that businesses need to focus on teaching employees not only how to choose good passwords but also how to protect them. "Passwords are the fastest way to break into anything," said Claudiu Popa, president of Toronto-based security consulting firm Informatica Corp. "Everyone has gotten desensitized to passwords, so they choose ones that are far too easy." The problem is that many people see passwords as a nuisance, an obstacle that delays them on their way to get at important information necessary for their job, Popa says. In reality, passwords are often the only line of defence.

For security veteran Tom Welch, president of WISE Security Solutions, internal leaks, not flashy hack attempts, are the real silent killers in the business world. "What you see in the news are the blips, the hacks, but the reality is most times the breach happens from within the organization," Welch says. "The big breaches, the real losses, happen at the highest levels of an organization, and those rarely show up in the newspaper. It's not because of hacks, it's because of users going above their security level or being careless with passwords and bad habits. That's how many frauds occur." Among the many duties Welch's company performs for its clients, the most interesting is "white hat" hacking. Essentially, Welch gets paid by companies to hack into their own networks and pull out as much data as he can, thereby demonstrating the level of protection — or lack thereof — that company has for its delicate information. "At many organizations we'll find blank passwords, or the word 'password' being used, which is indicative of a weak company policy. Needless to say, it's not hard to hack into that," Welch says.

Many times, he doesn't even need to figure out a password — employees will readily give it to him when asked, Welch says. It's a ploy known as social engineering and it's one of the top methods organized crime groups use to steal passwords and identities from large numbers of unsuspecting people. One ruse has the thief calling up an employee's direct phone line, pretending to be a technician fixing the network. After bombarding the employee with jargon and gobbledygook, the thief asks for a password. It may sound juvenile, but during a busy workday it might take only a few calls to find a confused staff member willing to surrender their password. Forget tech-savvy hackers — these are old-fashioned con artists.

Ultimately, security leaks are as much a product of human nature as they are outgrowths of ever-expanding technology, and as such they can't be patched with quick fixes. Education and training is the only truly effective, long-term solution, according to some security experts, and many companies like WISE are offering employees training on how to pick strong passwords and recognize the tricks crooks use to procure them.

"You need to have a good password policy, but once the policy is written the real challenge is disseminating that information to your employees," Welch says. "E-learning is not rocket science."

Information security doesn't end with computers and e-mail. Businesses also need to have strictly outlined and enforced security policies for handling files and data in general, including hard copy produced by computer systems. The need for this type of policy was aptly illustrated by the CIBC fax fiasco. From 2001 to 2004, the bank erroneously sent hundreds of faxes containing confidential customer information — such as social insurance and bank account numbers — to several U.S. companies and one company in Dorval, Que. CIBC noticed the misdirected faxes in 2001 but handled the problem sloppily and confidential faxes continued be sent out until the matter leaked to the press in 2004, causing a deluge of negative publicity.

The government's Office of the Privacy Commissioner concluded afterward that a lack of awareness was the main culprit. Among other missteps, bank employees simply didn't know that misdirected faxes with customer information were a serious breach of privacy. Since then, CIBC has established strict privacy and training policies, but the case remains a stark reminder of just how much damage careless data handling can bring to a business when people aren't trained to prevent it.

"It always comes down to people," Welch says. "It comes down to the [e-mail] attachment that a person is opening which they shouldn't open, or giving out information they shouldn't give out. You have to educate employees, to show an employee the consequences of leaked documents before they happen."