Everyday Mistakes In A Firm That Promotes IT Risks
Everyday, we feature here in Hackercombat.com stories of failures of various organizations. One way or another, these companies may deny that they are fully responsible for the hacking incidents, but rather only often claim for being victims of cybercriminals.
The following are some sample IT mistakes and management negligence
- Anyone can use a private computer without permission.
- Important information is ready for anyone to view.
- Documents containing important information are managed in the same place as other documents and are in a state where they are easily discarded by mistake.
- Untreated and discarded documents and storage devices (hard disk etc) with important information written.
- The storage method of media containing data, such as USB and laptop computers for companies, has not been decided.
- When passing important information to other employees or contractors, no particular procedures have been decided.
- It is routinely possible to take out documents or data with important information without permission.
Of course, any IT staff or system admin worth his salt will disagree with the above listed “freedom” in the enterprise. However, IT staffs are just implementers of IT policy, they do not directly create or modify them. The whole picture will need to be evaluated, and the following are the critical factors:
1. Internal factors without malice
It is a case that the negligence or carelessness by the employee of the company leads to information leakage. Specific causes can include misplacement or loss of a PC or USB memory containing company information, erroneous operations at the time of e-mail transmission, etc., management errors of a PC or smart device, etc. Among internal factors, these malicious information leaks have become extremely common in recent years.
2. Malicious internal factors
It is a case where employees inside the company leak information by performing malicious acts criminally. In this case, since a malicious party exists in the company, it is easy to access confidential information and personal information, and the methods for bringing out information vary, so the number itself is small, but the damage to the company is extremely high. It can be said that there is a big one.
3. Non-malicious external factor
There is a case in which the information leak damage is caused to the company by the negligence caused by an employee of the company in the partner relationship by the business consignment etc. The cause, in this case, can be misplaced, lost, misused, mismanaged as well as non-malicious internal factors, but there are also few criminals who are at least a malicious external factor. It is not limited.
4. Malicious external factor
External factors behind malicious information disclosure include cyber attacks by hackers, etc. However, companies have taken measures such as setting a firewall, and it can be said that the absolute number for information disclosure as a whole is small. However, information leaks due to external factors are often conducted in a planned manner, and if they are damaged, they will lead to serious damage, so it is necessary to take adequate measures.
There are various types of corporate systems that handle confidential information and customer information, and there are various measures that require appropriate measures. Here, general measures to prevent information leakage are used.
1. Network monitoring and system evolution
For external factors such as cyber-attacks, on the premise that the corporate network is protected by a firewall, system vulnerability checks, 24-hour monitoring for unauthorized access, and regular security checks are implemented, and new days. We need to evolve the system to combat hackers who make full use of their techniques.
2. Central management of data and access restriction
PCs with confidential company information can easily cause information leakage if they are left behind or lost on the go. Therefore, while centrally managing data, such problems can be prevented by using a PC as a dataless terminal. Also, as a more realistic method, it can be said that restricting access to data individually is essential.
3. System to compensate for physical security thoroughly and human error
System development/introduction for introducing physical errors such as the introduction of IC card/fingerprint authentication, installation of a surveillance camera, the prohibition of bringing in personal PC, the prohibition of taking out a personal computer, etc., and compensating for human error such as erroneous e-mail transmission is desired. At the same time, it will be necessary for stakeholders to share their individual awareness, as to why information management should be thorough.