Thursday, September 16, 2010

Employees as Security Threats (Google Fires Engineer For Spying On Users)

The most widespread failing of technical security including protection of  local databases, websites and access to the Internet has never been technical failures (despite Microsoft taking years and hundreds of millions of dollars of our money to get good at it). 

The biggest failing has always been the people involved. The people who can't or won't follow procedures to protect themselves, their companies and their customers from security breaches. The most publicized hacks have been through large company security negligence. But most of our day to day security breaches involve either a social engineer with a technical background or the failure to follow minimal security standards. The social engineer is able to convince people to give up their passwords and access to their systems to enable the hack. This is often made easier by a lack of security standards. 

But by far the toughest security breach to guard against is an insider looking to exploit their knowledge to the detriment of the company or customers.  

This case of a Google employee using his access to do weird things to Google customers highlights the need for companies to have a way to monitor their employees access at all levels. Kind of like a technical Internal Affairs. We have no way of knowing if Google could have done more to prevent this. But we can use it as a reminder to strengthen our own security procedures. 

Larger companies have procedures in place and conduct audits to ensure compliance. Smaller companies simply cannot afford the time or cost of technical audits and must rely on their internal procedures to ensure the safety of company and customer data. 

Breaches by an insider can be devastating for a company - especially when it involves customer data or trade secrets. 

As we move more (or all) of our computing to the Cloud the most important security measures companies will take will include:
  1. Vetting the security procedures of their Cloud vendors. If the data and applications running in the Cloud are not secure to begin with the business is in trouble. 
  2. Passwords.
Yes, passwords. No more everyone in the company using the same password. No more using the daughter's name or birthday as a password. And no more keeping passwords the same indefinitely or rotating the same three. 

When data is in the Cloud it's impossible to steal it without a breach at the Cloud vendor or unauthorized access through the business - and that means a password in the wrong hands. 

We can make your data extraordinarily secure, but we can't keep you (or your employees) from giving away the key! 

More links:

Vist On-Site Technical Solutions for information on how you can move to Google Apps or other Cloud Computing applications. We can also help you with your mobile computing. You should follow us on Twitter @MHBoys and become a fan on Facebook. Call or text me at 1-949-212-2168.


Technorati Tags

No comments:

Add to Technorati favorites

Add to Technorati Favorites