Is Your Biggest Network Security Threat “Who’s Getting In” or “What’s Getting Out”?


It seems that every week there is a story of another high profile IT network security breach and attacks are undoubtedly becoming smarter and more sophisticated. But some of the most critical damage to a company’s network security can be done by people on the inside. Security threats posed by company employees can be just as dangerous as outsider attacks.

Last month, the Utah Department of Health (UDOH) announced a security breach involving approximately 6,000 Medicaid patients and their personal data—including names, Medicaid ID numbers, ages, and prescription histories. An employee at Goold Health Systems, a third-party contractor that processes Medicaid pharmacy transactions for the UDOH, transferred the data to a thumb drive, which was subsequently lost. The employee, described as “terrific,” never intended to harm the UDOH or Goold but was fired for her error in judgment because handling the data in that manner is against company policy. The CEO of Goold admitted that it’s possible the employee didn’t know the policy.

This incident and countless other security disasters are attributed to what some call “social threats.” Businesses make significant investments to protect themselves from the threats coming in from the outside—the hackers—but sometimes forget that they need to start by looking within.

Employees can also unknowingly introduce security threats to a company’s network simply by browsing the web and inadvertently clicking on something they shouldn’t, downloading malware onto the network that can ultimately cause trouble. In fact, this year’s Cisco Security Report found that legitimate business and media web sites—often visited for business purposes—are responsible for spreading more malware (through third-party ads) than sites that were previously believed to be more dangerous. In other words, employees may even pick up malware through the course of their day-to-day work activities.

Companies can help protect themselves from insider threats by taking a few simple, but extremely important steps:

  • Educate employees. In the case of UDOH, the network security breach may never have occurred if the employee knew that it was against company policy to download patient data to a thumb drive. Companies must take the time to make sure that employees are aware of the threats that are out there, how to avoid them, and what to do if a mistake is made. All new employees should of course be educated, but regular refresher sessions should be held for existing employees as well.
  • Implement a Web Acceptable Use Policy. This policy establishes Internet use restrictions for all employees on the network. How strict the policy needs to be depends on the sensitivity of the information a company stores. Companies should work with a security service provider that allows them a high level of control over Internet security settings.
  • Maintain/obtain visibility into the network. If a security threat is introduced onto the network, it is important to be able to see that threat, stop it, and eradicate it from the network before it’s too late.

Network security remains a top priority for CIOs and IT professionals at companies of all sizes, and for good reason. To know the threats is to protect against them—both externally and internally.