Companies weary of internal security problems N.Y. Times The computer supervisor at a Midwestern engine manufacturing company approached his bosses last month and made them an offer they could not refuse. Either they gave him a big raise immediately and agreed to a list of other job demands, or he would shut the company down, according to Erik Thompson, a computer security consultant who was called in to help the firm after the incident. The employee, Thompson said, got his raise, and yet another company discovered what thousands of businesses have learned the hard way in recent years: Despite justifiable fears about rogue programmers attacking an organization's information systems over the Internet, the greatest threat to a company's data security probably works just down the hall. ``Nobody wants to think that the guy I work with may be a bad guy, my worst nightmare,'' said Charisse Castagnoli of Internet Security Services Inc., an Atlanta-based consulting company. ``If you look at the statistics, though, about 70 percent to 80 percent of security breaches are internal.'' According to an informal survey conducted by the Computer Security Institute, an association of corporate data-security officers, for the FBI's International Computer Crime Squad, computer attacks by insiders were more common last year than external, Internet-based attacks. More than 87 percent of the corporate, financial, government and university information-security managers polled by the survey said disgruntled employees were the most likely cause of data security ``incidents,'' ranging from sabotage, fraud and theft of proprietary information to unauthorized snooping in a colleague's e-mail or storing digital pornography on a company computer. Several different dynamics are increasing the risk of insider fraud or sabotage, security officials said. Companies increasingly are relying on outside contractors for technical work, and giving those outsiders insider privileges, in part because of a shortage of programmers exacerbated by the work needed to fix ``year 2000'' programming flaws. ``The Y2K problem is causing a lack of programmers, and people are hiring anybody,'' said Michael Zboray, a vice president at The Gartner Group in Stamford, Conn., using the industry's acronym for the year 2000 problem. ``Companies are now doing Y2K development offshore, sending work to Russia and India, and they haven't a clue as to what's coming back. They don't do background checks. What we're hearing is an undercurrent of back doors being programmed in.'' According to the Computer Security Institute, companies employ on average one computer-security administrator for every 1,000 users of the computer system. The budget for computer security, traditionally 1 percent to 3 percent of the total information-technology budgets for many corporations, is expected to rise to 3 percent to 5 percent this year, the institute said. But, as with the case of the automotive-engine manufacturer, most companies are fearful of adverse publicity and never report internal security breaches, even the most severe ones, to law-enforcement agencies, security analysts contend. ``Most firms would rather go public with the news that their chief executive officer was an active alcoholic than the news that there was an insider security problem,'' said William Malik, a vice president and research director for Gartner Group. One notable exception occurred last month when a former computer network administrator for a government subcontractor was arraigned in federal court in New Jersey, charged with having destroyed critical company data in 1996 using a software ``logic bomb'' that detonated three weeks after he was dismissed from his job. The logic bomb erased all of the engineering programs and files at Omega Engineering Inc. of Bridgeport, N.J. Backup tapes were stolen as well, and losses from the sabotage could eventually cost the company more than $10 million, U.S. Secret Service investigators said. Speaking to a data-security conference last month, Dan Nielsen, a special agent with the FBI's newly renamed National Infrastructure Protection Agency, said insider attacks are rarely reported, and thus the agency has no reliable estimate of the dollar losses sustained from them. But the tally for the relatively few attacks that were reported in 1996 was $100 million, according to the Computer Security Institute/FBI survey. Early responses from the 1997 year-end survey indicate a 30 percent rise in reported losses in the past 12 months, said Richard Power, president of the Computer Security Institute. And it appears the percentage of companies reporting computer-security incidents in 1997 will also rise sharply, to more than 60 percent, he said. Half of the 563 information security professionals responding to the 1996 survey said their organizations had sustained the unauthorized use of systems last year, and among those, insider attacks were reported to be more common than external attacks. The 249 organizations that were able to quantify the losses from all computer attacks reported losses totaling $100 million. The Computer Security Institute is now compiling results from the 1997 survey.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:54 PDT