Risk Training

Risktraining.info

Staff Issues

 

Introduction

It is very easy to get overly paranoid about staff in an organisation since they do represent the single biggest security risk. Most crime against an organisation is committed by its own staff and a lot of it goes undetected and unreported.

Most people lie on their CV's (73% of men and 56% of women according to a recent poll). A lot of people steal stationery, use office printers and photocopiers for their own purposes and when not explicitly stopped may well conduct a bit of extra personal or commercial business on the side during work hours.

It is an important balance how you deal with this, a security policy (or staff handbook) should set out clear guidelines, but then again, is someone taking a few postit notes home that bad a thing if they are a generally good worker?

Vetting CV's is a complicated procedure, however, since the time of recruitment is the best time to check out a staff member, it is worth putting a lot of care into this and actually following up references, and if this is a key position, having them checked out by an external company. It is also worthwhile your interviewing staff going on a course on interview techniques to teach them how to sort out some of these CV misrepresentations at the interview.

In the rest of this section, we will look in some detail at various staff related risks.

A false sense of security

This may well be the biggest single danger associated with your staff that a company will face. The problem here is simply the "It won't happen to us" attitude. The problem is, that often it does happen to you, and more often than not, nothing has been prepared to deal with the bad happenings.

Some statistics from a DTI Security Survey in 2000, covering 1000 companies:

30% of companies do not consider their information as sensitive.
60% of companies have suffered a security breach in the last 2 years.
43% of companies have had a serious breach of security
40% of security breaches were caused by user error

Some more figures suggest that by far the vast majority of "hacking" is caused by insiders, that very few companies are in any way prepared for a virus attack and that it is only when vital data is lost that a company may realise how poor its backup strategy (if indeed, they have one) actually is.

The false sense of security (or the Ostrich Approach) to Risk and Security may well work for a while, but in the long term it can cause corporate and financial disaster if not the complete collapse of a company.

Mistakes

From the above statistics, it can be seen that 40% of security breaches were caused by user error. The easiest way of showing how simple mistakes can cause serious problems is to give some examples:

Careless use of data

It is a good idea to not only know what data your company stores, but also to assign some sort of value to all of different types of data. This will naturally lead to far more appreciation as to the value of keeping some or all of your company data safe. It is also a good start for compliance with the Data Protection Act in some circumstances. Again, it is not possible to give a complete list of how data can be used carelessly but a few examples should give some ideas:

Key staff creating knowledge wells

This can be a very severe problem, and when it hits, it can hit quite badly. A common example of this is Mrs Smith, the loyal and long serving Office Manager who, as everyone in the company would tell you is not only worth her weight in gold but she is also the only person in the place who understands how the office systems work and doesn't like anyone to interfere with her own way of doing things.

This is great, until the day that Mrs Smith is run over by a bus, falls ill or runs away to Spain to marry a fisherman. The company has effectively put a good deal of the business operations into the hands of a single person and to make matters worse, this person has insisted on not having her processes documented or passing on the knowledge to other people.

Another rats-nest of knowledge-wells often occur in small technical departments though these are often more deliberate. Commonly some staff will deliberately make their job seem more complicated, avoid documenting systems and processes and basically try and make themselves indispensable to the company. This gives them a great amount of power which really shouldn't be there.

The way around knowledge-wells is to have clear policy on process and systems documentation, have clear training policies and where possible to use well known and industry standard technology. It is also a good idea to occasionally sanity-check system and processes either with an internal committee or with short term external consultants.

General theft

Because your staff have to be trusted to a large degree, theft may well become an issue in your company. Some theft is almost expected such as stationary theft. Staff taking the odd pen, or pack of postits isn't often considered a problem however, staff stealing boxes of black-and-red note pads and selling them at car boot sales is starting to get a lot more serious.

More serious theft is something that all businesses are at risk from but the most common problem is that of assuming your staff won't steal from you. Even a lot of what look like external breakins are often done with internal help. Bad asset control may even cover up a lot of theft so that it is never identified. In one large company an employee was eventually caught receiving new boxed computers, sticking his own address labels on them and posting them straight back out again via the post room. This may have never been spotted since the computers hadn't at this point been entered into any asset tracking systems.

There are no complete answers to stopping theft; but some suggestions may help:

Subtle theft (including telephone usage)

Following on from the obvious forms of theft, there are more subtle areas of theft from a company that may be less easy to spot. One of the most obvious of these is staff using the company telephone system for personal calls. It is a legal requirement to provide an outgoing line for staff but, this can be provided by means of a payphone in a public area. It is definitely a good idea to document the bounds of personal telephone usage in a staffing policy and to monitor usage and make it known that this is happening. A good idea is to present individual staff or departmental managers with itemeised bills each month just to show what is being used.

It is not only telephones that can be abused: Printers, photocopiers, and postal services are equally open to theft of resources and some limits and security should be placed on their usage.

Another often overlooked form of theft is in software and in licenses. When you buy a piece of software, you are only really buying a license to use it and this is the bit that your software asset owner should keep. Often, if a number of software products have been installed, nobody really cares what happens to the licenses or boxes but remember; if this license is taken and sold to someone else, your version of the software then becomes illegal to use.

Lack of training

This is covered elsewhere in a lot of areas, so there is no need for a large section on this. It is sufficient to say here that security training is important and that it is important to teach people about the fundamentals of security as well as just the processes. If you and your staff understand why they are doing things and why things are important then they will be equipped to deal with a wide range of problems and events that may not be covered by just learning standard processes. The events of September 11th have taught us all the importance of good security and risk training and basic awareness training cannot be underestimated in its importance.

Lack of ethical guidance

At first sight ethical training may seem to be a bit pointless, but all sorts of problems can creep into a company if there are not strict and consistent ethical guidelines set. Equally importantly there should be a system of reporting breaches in business ethics and taking action following the event.

Although this sounds somewhat "big brotherish", your staff are only human and sales people will act in a lot of subtle but possibly unfair ways to manipulate them. Even something as simple as a free T-shirt from a supplier may tip the balance in favour of them in a poorly managed tendering process.

After some severe ethical issues within the Hughes Corporation many years ago they were forced to install a group wide ethical programme which is regarded as the finest in the world. To quote from the Hughes Software Systems page:

The Integrity program establishes a strong business ethics practice. The ethics program is well documented and there is an ethics office headed by a Chief Ethics Officer. All new hires are put through an ethics workshop within four weeks of hiring and all employees go through a refresher program every year. There is a strong mechanism for reporting and acting on violations. Strong and swift action is taken to set examples. This has helped HSS to create and maintain an ethical environment for doing business within and outside the company.

Vulnerability to social engineering

This can be a huge problem, and a very difficult one to counter. In many ways people like to be helpful to one another and "social engineering" is preying on that coupled with a degree of innocence about security problems.

Social engineering is a modern term for all sorts of techniques that basically involve lying to people to get information out of them or to get them to do something for you. It's not a particularly clever technique but usually, a very effective one. The people who fall for it will usually tell you that they were trying to be helpful or that the person who asked them to do something seemed to know what they were doing, so they just did it.

Some examples of Social engineering are:

If either of these sound in any way far fetched, then it should be noted that both of these are fairly common and standard methods of attack. The way to counter this form of deception is to train staff in the basics of security. It is not sufficient to teach people what they should do they must also be taught why they are doing it so that they can apply their knowledge to situations that are beyond their normal experience, since these are the situations the social engineer will try and create to do their work.

Software installation

Staff will often treat their work PC as though it is their own property and as such they will personalise it, and install a lot of their own software. The problem is, this software may well carry viruses and Trojan horses that could destroy that machine, spread itself to every other machine in the organisation, spread itself to customers or even provide hackers with easy access to the machines and networks.

Virus scanners will not spot all malicious software, so running one may well give people a false sense of security. Staff apparently rarely take much notice of instructions not to install software; this may be because a lot of things install themselves. CD ROMs may install software when they are put into the drive, email attachments may run software that installs something and web pages may well cause software to be installed. As this is the case, it is always best to try and "lock down" user's machines as tightly as possible to try and stop software installation.

Email usage (Spam mail hoaxes, obscenity and defamation)

There are a number of problems that can occur with email and most of them are easily solved with a bit of user education.

In simple terms, you need to teach staff to be polite, cynical and quiet.

In terms of politeness, it is quite important to teach people that the laws of defamation do apply to email and with the extensions in the Data Protection Act, people may well fall foul of these laws. It is tempting to treat email as "personal correspondence" and there is often a sense that you can say what you want. This is far from the case, legally. See the Legal section for more information.

Spam mail is the Internet term for any sort of mail sent to you to sell you something, to advertise something or just to generally annoy you. It is the equivalent of the letters that flood through letterboxes informing you that you are 3 steps away from winning a billion pounds. However much spam is being blocked, some will still get in. For people unused to receiving Spam the first few months of it can be quite an education. One of the problems with some of the more common hoaxes is that they appear to be addressed personally, and to the recipient, it is far too easy to be fooled into thinking this is just for them. There are lots of hoax mail messages that if people fall for, at the least they may be left feeling silly and at the worse, for example, the email saying it is from someone in Africa who wants to use your bank account to deposit a few million or billian dollars, they may end up kidnapped or dead. It is vital that staff are made aware of spam and hoax emails, how they work and how to spot them.

Finally, it is probably a good idea to teach staff not to overuse the email systems. There is a fine line between overuse and abuse and in the UK the overuse of email systems is getting to such a point that quite a few companies are starting to have whole days where email is not allowed in an attempt to get their staff talking to one another again!

Web usage

There are many problems with web usage, and the limits on this should be set down clearly in a security policy and possibly enforced by the IT department with suitable filtering mechanisms and monitoring of Internet access.

Some common problems are:

Don't get me wrong... There are a lot of good points to having web access... It is after all the biggest library and information source in the world and may save people years of traditional research. It is also a useful way to recruit people and, provided it is not abused, a good way of relaxing a bit and just browsing casually.

Non Work activity (chat systems etc)

Aside from Web access, there are other things to be aware of. Instant messengers such as IRC, ICQ, MSN messenger, AOL's AIM and Yahoo Chat are becoming more and more popular. These allow people to waste away many happy hours chatting to their friends or chatting to groups of people in chat-rooms but whilst they are doing this, they are probably not doing a lot of work.

Whilst chat services are reasonably easy to block technically, there are also more and more ways to get around these blocks, specifically designed so that people can chat from work; this is becoming quite a big thing and a modern security policy should address chat systems and if people are allowed to use them at all then the limits of when this use becomes abuse should be laid down.

Running other businesses

This one may seem a bit odd; but these days is it even easier to run a small business with not a lot more than an Internet connection. These business may range from a bit of freelance web design "on the side" to running a large scale book selling business on Amazon or large amounts of auctions on eBay.

Often these businesses will start in an employee's non-work time but as things get larger, they may well start to interfere more and more with their daily work; there are even some cases of people using the company postrooms to do their shipping and stealing large amounts of stationary for their own businesses.

As well as clear security policy guidelines and disciplinary procedures to deal with this problem, it is a good idea to monitor Internet access and to block some of the more obvious sites (eg: eBay) as well as taking precautions against stationary and postage theft.

Malice

Deliberate malice is a hard problem to deal with. A lot of controls such as training will protect you from your staff accidentally causing damage but when there is a deliberate attempt to cause problems things become more difficult. There aren't many protections against this, the only two really being:

Be aware of the "mood" of your staff. If someone is being malicious there is usually a reason. Are they unhappy in their work? Are they having financial problems that would cause them to be malicious for money? If there are problems then that person should be watched and if required, some limiting actions should be taken.

Make it clear that if any deliberate malice is detected then the matter will be dealt with seriously and the police will be called in. A lot of companies will just silently make somebody redundant but this may cause a lot more problems later in showing people that malicious acts may be tolerated.

Although there are endless acts of malice that can be caused, here is a short but varied selection of ones that have been seen recently.

Background checking

As mentioned in the introduction, a lot of people are now lying on their CV's - There are the results of some recent polls on these two external links: Sometimes, the lies aren't bad but sometimes (and it appears especially in IT) they can be much larger and more "inventive".

If you are employing someone in a position of trust (and in some senses, that includes anybody with access to your computer systems and data) is is especially important that references are followed up carefully and properly from previous companies. If none are provided, then be especially suspicious. Also during the interview process, don't be scared to get somebody in to check their technical skills and don't be scared to question them in some detail about past jobs, asking for references and if they would mind them being contacted from each. You may think you are being overcautious, but when you find out they were sacked from their five previous jobs for hacking you may well find the paranoia was useful.

Far fetched? Not at all - A lot of IT and finance companies will sack people they catch hacking quietly so as not to damage their own reputations. In the worse cases they will even offer a good reference in the hope that they don't say anything. In a recent case a big police investigation into one hacker was ruined when he was employed by the security department of a large telecoms company who didn't bother checking to see that he had been sacked from most of his previous jobs. The police had to arrest him before he caused any major damage at the telecoms company but by doing so ruined their own two year investigation.

Keeping staff happy, paying them enough?

There is a saying that although loyalty cannot be bought, loyalty doesn't put food on the table. However loyal your staff, if they are constantly being reminded that they could be earning a lot more elsewhere then eventually they will probably leave.

These days, especially in IT, it takes very little for someone to post their CV onto a recruitment website and once that happens, they will be the target of headhunters offering them better salaries, relocation bonuses and training.

Staff like being trained, and in the long run, this is good for your company but bear in mind that the staff will often be looking to increase their skills so that they can leave. It is a good idea after any expensive training course to "lock them in" so that if they leave within a given time they will have to pay the cost of the course back.

Keeping staff "happy" is outside the scope if these pages, except to note that a well known media company did this by building a video arcade in the basement of their offices, turned a large number of their staff into video-games addicts and rarely saw them at their desks ever again. As for taking your employees firewalking to promote team spirit, you may want to read this article on Ananova first.

Safety

Fire walking aside, there are a number of safety issues that are closely connected with security. Health and Safety is covered in other pages and courses but there are important additions to be noted. Safety training is every bit as important as security training but the two topics do overlap in some areas and so overlapping some of the training should be considered as well. A selection of things not covered elsewhere that may get you thinking of others are:

And finally...

A lot of this section offers a fairly pessimistic view of the actions of staff. It is in the nature of security to expect the worst and hope for the best and in the vast majority of cases your staff won't be taking liberties, stealing from you, wasting company time or selling the contents of your stationary cupboard at car boot sales every weekend. A good security policy and staff handbook coupled some good training that teaches people why they do things as well as just that they should do them will help enormously.

A final top five bullet points of things from this section:

  1. Your staff may well be your most valuable asset. Train them and look after them.
  2. People will lie to get jobs. The best time to root out the bad ones is during the recruitment process. It is a false economy to skimp at this stage if it costs you a fortune when they turn out to be bad later.
  3. A good security policy and staff handbook protects both you and your staff. Without clear guidelines staff may not be clear of their limits and without clear guidelines, you will have problems during any disciplinary actions against staff for abuse.
  4. Your IT staff may well have access to every bit of data in your company, possibly even more than your senior managers. Remember this one well.
  5. If you pay your front line security staff five pounds an hour then you will get five pounds an hour's worth of front line security.

Finally... During my lectures on this subject I am often accused of representing cleaning staff as the Anti-Christs of the security world. Whilst it is tempting to end with the comment "Well, they are!" in this section, I will avoid doing so.

Risk Training Info. Email: [email protected]
Copyright © 2002 Michael Lawrie. All rights reserved. For more information on using these documents click here.