Protect your information assets... from your own employees!

Worried by hacking attacks on your critical computer network? Can't sleep at night because you fear one day you'll wake up to the prospect of facing a complete stoppage of your computer systems as a result of a threat from outside your...

Worried by hacking attacks on your critical computer network? Can't sleep at night because you fear one day you'll wake up to the prospect of facing a complete stoppage of your computer systems as a result of a threat from outside your organisation?

Well, think again. The major security concern is internal, not external. Yes, fear your employees most, for they could be your biggest threat to your sensitive data!

This is the clear message given at a recent security seminar organised by ICT Solutions, a new Maltese computer solutions company. Speakers from three major international computer security providers delivered presentations on the major threats to a company's computer system and how to handle hand effectively, being proactive and not fire-fighting when it's too late.

Gidon Pely, vice-president for east and south Europe at Cyber-Ark, quoted from a CERT/Secret Service Studies survey that revealed how 86 per cent of insider incidents were perpetrated by people with system administrator access. Half of these people were no longer supposed to have privileged access.

He also reminded everybody about the case of Terry Childs, the 43-year old network engineer at the Department of Telecommunications of San Francisco who quarrelled with the management and just walked out of the job, taking with him all the passwords of the computer network systems. He refused to reveal the passwords, or even to go back to his job, and the city mayor had to beg Mr Childs to resolve the situation as all computer systems controlling key infrastructure and utility services were shutting down one after the other.

Mr Pely gave an overview of Cyber-Ark's patented Vaulting Technology, which created the Digital Vaults solution that secures the data from end-to-end using multiple security layers. This system is highly secured regardless of overall network security.

Ivan Ermakov, security consultant at HP Technology Services began his presentation by quoting security guru Bruce Schneier who said: "Security is a process, not a product". He likened the process to a journey, a transformational journey from reactive asset-based solutions to proactive process-based solutions.

A holistic set of security solutions are needed to enable the adaptive enterprise.

Mr Ermakov then explained the HP Information Security Services Management Approach, citing case studies from real experience.

He mentioned the security challenges associated with customer IT information. Workforce reduction will lead to additional risks in field of sensitive information leakages. Companies will have to pay large penalties in case of non-compliance with new laws. Furthermore, there is a huge business impact from the recent large botnet Conficer epidemics.

HP offers mission critical security services, including an annual security assessment service that will help to find weaknesses in corporate IT security system; regular vulnerability scanning that will help to find weaknesses which could be exploited internally and externally; and making sure there is adherence to information protection laws.

Terry Ninnis, technical director (EMEA) for Agiliance, spoke about "the path to lower-cost, enhanced bovernance, risk and compliance management (IT-GRC)".

He started by listing the key issues with risk and compliance, and mentioned the unabated growth in regulations and mandates and the ballooning costs, which in the US had reached 3.69 per cent of net income of business organisations in 2007. There is also a shift to sustainable, continuous compliance and risk monitoring, which is required by law in some countries and which puts liability on merchants not compliant at time of breach.

He suggested a three-pronged approach towards a solution to IT-GRC. The first one is to eliminate duplications and redundancies and take a risk-based approach to compliance.

The second prong is to focus on risk matters, as auditors increasingly demand that organisations show an understanding of risk they face. The third prong is automation, levering technology to make things easier and faster.

Mr Ninnis said Agiliance offers RiskVision, a solution that arms companies with an efficient, repeatable and continuous process for IT compliance. It provides complete visibility into current risk status and delivers the accurate intelligence and analytics required to ensure informed business decisions based on risk posture can be made with ease and confidence.

The attendees to this half-day seminar were very attentive to what to speakers had to say, putting forward some pertinent technical questions. However, there was one particular intervention from the floor that struck a chord.

"The wrong people are in the room," commented a top IT executive from one of the large local banks. "Our chief executive officers and the likes should be here because they are the decision-makers."

The same attendee also remarked that the economies of scale always work against the Maltese companies, and it is hard to justify the cost. He requested the speakers to consider offering special packages that cater for the small size of local companies.

The organisers of the seminar, ICT Solutions, are a new player in the local ICT industry, providing IT and communication systems integration. ICT Solutions is the trading name of ICT Ltd, a joint venture between the Forestals Group, and klf consulting Ltd.

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.