Just as organisations are relying more on computer-based systems, so the internal risk rises as employeess are given greater access.
A member of staff is leaving, maybe to a rival firm. What if he downloads the company’s list of contacts to use in his new job, or in his own start-up firm’ That’s one of the scenarios raised by Adrian Reid, Managing Director at computer forensic investigators DataSec. According to Adrian, current trends include: theft of information (such as databases) – sometimes taken by employees; employees being dismissed following access to pornographic websites at work; sending of inappropriate e-mails; unlawful interception of e-mails for commercial gain; sabotage of company technical services; disputes employer and employee over document authenticity (calling for forensic analysis to compare versions of the same document); and copyright infringement (employers alleging that employees have unlawfully used a computer-generated image or document). But back to databases: Adrian Reid points out that such theft has happened for a long time. Such theft needs to be taken seriously, because investigating a case, and going to court, is not cheap – ‘but undoubtedly it’s cost-effective if you consider the amount of damage that can be inflicted on the victim’. Where there are grounds to believe someone has stolen such information, Datasec advocate a robust approach, working with law firms to seize assets such as a computer that is suspected to have the stolen data; this computer is handed over to forensic investigators such as Datasec for analysis, seeking to prove that the information seized does belong to the company.
A matter for security or IT’
Adrian says that if you have a suspicion, or there is a high risk, of someone still at work for the firm stealing data, there is nothing to stop you monitoring that individual, and restricting access to databases. That said, for the company to carry out covert monitoring, you must have correct and updated procedures: staff have to know in their contract or a code of practice that they may be monitored. If leaving staff are regarded as risks, why not deny them database access’ Adrian asks. ‘Yes, it would create staff dissatisfaction, but we are in a time when employers have to weigh up risks and liabilities.’ Is database security a matter for the security manager or the head of IT’ Adrian begins his reply by mentioning the Turnbull Report (featured in our March 2001 edition) that requires companies to manage their risks, and spell out each year those business risks. While responsibility for security policies rests with the security department, Adrian adds that IT is a world ‘where few people in an organisation knows lots of knowledge’. Put another way, if your organisation has a director of IT who is the only one in the organisation to understand IT, that organisation might not be aware of any alleged breach of contract by the IT director until things become serious. One way round that may be independent auditing.
Also, Adrian says, it is important that the security manager understands the basics, without being a programmer or a network engineer, so that he knows whether something to do with IT is achievable or not. In a word, Adrian is calling for security managers to treat IT with teh same respect that they treat physical security. Adrian names e-mail as an example. If employees send e-mail in an informal way, it can lead to defamation or harassment in the workplace – to most, an e-mail could be a laugh, but one person might be offended. It’s about good house-keeping.