The 2004 Ernst & Young Global Information Security Survey found that less than 30 percent of the 1,233 organizations worldwide listed training and raising employee awareness of information security issues as a top priority.

This observation was echoed by other security experts.

"We tend to trust the internal users, be they full-time staff or contractors such as consultants. The consultants may bring proprietary data out of the organization in the course of their work, so there should be a policy that requires such information to be taken care of or returned when the project is over," says Ken Williams, director, Computer Associates Technical Services.

Employees, former staff and contractors create vulnerabilities in many ways. For example, when they access their companies' networks from home, their family members may use the laptop to access Web sites that contain malicious codes.

"We're talking about hundreds of thousands of Web sites embedded with malicious codes," adds Williams.

At the same time, when internal users access their companies' networks from home by wireless, it opens doors to unauthorized entry by external parties.

Disgruntled employees may also want to cause damage to their companies, which often fail to revoke access by former employees.

The CSI/FBI 2004 Computer Crime and Security Survey of 269 respondents from US companies and government bodies reported that insider Net abuse and theft of proprietary information amounted to US$10.6 million and US$11.5 million respectively.

In another scenario, business managers or "knowledgeable users" may bring in "rogue devices" such as modems, says Cisco Systems' security consultant, Bernie Trudel.

"Usually they are well-intentioned but have little knowledge of the security implications. The same thing could be said about those people who download 'freeware' on their business machine," he adds.

Be they careless, ignorant or malicious, internal users can be a threat to their work places. The Ernst & Young survey found that just 56 percent of respondents in Asia Pacific provide their employees with ongoing training in security and controls. Raising employee information security and training or awareness was ranked eighth for initiatives in 2004.



Keeping focus
What will make more companies focus on such training? For Trudel, running a simulated attack and presenting the results to upper management may do the trick. Pointing to the CSI/FBI annual security survey or the Sarbanes-Oxley Act will justify the need for a bigger security budget, he added.

John Ho Chi, principal of Ernst & Young, believes regulatory incentives have played a part in pushing companies to focus on training internal users. The survey revealed that 13 percent of respondents in Asia Pacific said government security-driven regulations were very effective in lowering data protecting risks in their industry and their organization; 38 percent said they were somewhat effective.

Williams reckons that it is when proprietary data is released or stolen that company leaders will take notice. "In a preventative environment, this won't have happened," he says.

Raising perceptions