r
Defending Against the Internal Security Threat
r
r
r
By Dennis McCafferty
r
r
March 18, 2004 — (WEB HOST INDUSTRY
r
REVIEW) — When it comes to security breaches, Web hosting companies
r
are in the hot seat – especially if a potential abuser happens to be
r
someone they just hired. After all, placing them in a data center with
r
access to so many client companies with so much information, well, it’s
r
like hiring a prescription junkie to manage the neighborhood CVS.
r
Of course, this won’t happen at your
r
shop. Or will it? The issues over hiring and appropriate due diligence
r
are complex. How much is enough? Do you bear the same scrutiny for
r
contractual hires as you do full-timers? What kind of logging on/access
r
policies do you incorporate? What level of employee monitoring do you
r
deploy?
r
r
With this in mind, WHIR consulted with a
r
broad sampling of industry experts. Here are the harsh realities, and
r
the advice they urge Web hosting companies to consider:
r
r
Yes, you can be sued based upon what your
r
employee does. Let’s say that after you’ve put your new hire through
r
orientation, given him his biometrically enhanced ID card and showed
r
him the employee volleyball court, he decides to say ‘thank you’ by
r
hacking into your clients’ sites. Nice, huh? And what’s nicer is that
r
your company could end up in as much legal hot water as your new hire.
r
If your background check is found lacking, your company could end up
r
paying a heavy price, in addition to losing customers.
r
r
“There is a concept in employment law
r
known as negligent hiring,” says Mark J. Neuberger, a law partner in
r
the Miami office of Buchanan Ingersoll PC (bipc.com)
r
who consults with Web hosting companies on hiring practices. “If a Web
r
host hires an employee who’d have access to a banking client’s account
r
numbers and starts using the information to defraud customers, and the
r
employee recently got out of prison for fraud, the defrauded customers
r
and client can sue the Web host. They can argue that if the Web host
r
had checked, they would have discovered the prior criminal record.”
r
These days, four out of five companies perform pre-employment criminal
r
background checks, according to industry research, up from just over
r
half in 1996.
r
r
No, you never really can do too much: At Fayetteville, NC-based host Advanced Internet Technologies Inc. (ait.com),
r
CEO Clarence Briggs is a former Army major, and more than 70 percent of
r
his 130 employees also have military backgrounds. So this operation
r
tends to be a stickler for detail; every candidate hired is put through
r
a considerable screening process. There are background checks,
r
reference calls, a mandatory drug screening – even credit history
r
reports if needed. “Internal threats are ignored at corporate peril,”
r
Briggs says. “Who better to screw up a company’s systems that someone
r
who’s inside? Someone who knows them, and knows potential weaknesses.”
r
In addition, AIT regularly monitors Internet surfing activity, and
r
checks to see if personal e-mail addresses are being used as
r
repositories for sensitive company information. It also employs
r
security guards who physically check items/belongings of every person
r
entering and exiting the building.
r
Get IT people in on the interviewing
r
process: The interview should hardly begin and end at the HR-level. If
r
it’s IT you’re hiring, it’s IT people you need in on the process.
r
They’re the ones who can ask the right questions about a candidate’s
r
background, education, training and prior work experience, Neuberger
r
says. It’s your IT people who are best in position to sniff out any
r
claims that don’t pass the smell test.
r
r
The contractual hire is potentially just
r
as troublesome as the full-time newcomer: A bad hire is a bad hire,
r
contractual or full-time. Either way, they can cause as much damage to
r
a Web host as Janet Jackson (a temporary hire, for certain) did to CBS,
r
MTV and the NFL during the Super Bowl. A Web hosting company has
r
potentially the same kind of reach – and responsibility. “The same
r
exposure exists,” says Richard Seldon, president of New York-based
r
Sterling Testing Systems Inc. (sterlingtesting.com),
r
which conducts pre-hiring screening for Web hosts and other IT and
r
non-IT based companies. “The mindset that a Web host must have is this:
r
‘If we ever have to go to a judge and jury and explain our hiring
r
practices, is what we’re doing considered fair and reasonable within
r
our industry?’ In other words, you need to make the case that, if
r
something bad happens, that you did everything you could to screen your
r
employees, whether contractual or full-time, and that the event could
r
not be foreseen or otherwise linked to negligence on your part.”
r
r
Briggs also looks to see if the
r
contractual candidate has worked for multiple IT companies. “Who is to
r
say that someone who’s been with Company A didn’t share intelligence
r
with Company B or C,” he says. “A bit of healthy suspicion can go a
r
long way toward minimizing a company’s exposure.”
r
r
Simple steps can go a long way: Reference
r
checking is crucial, just as much today as it was 200 years ago. But,
r
these days, you have more tools on hand to do so. “Checking someone’s
r
background can be as easy as a Google search,” Neuberger says. “You’d
r
be amazed at what turns up. And it’s useful information, because, these
r
days, employees making less than $100,000 a year have the power to
r
destroy a Web hosting operation.” Also, avoid the applicant’s
r
current/past HR department, where contacts have no ‘real’ experience
r
with the applicant and, besides, aren’t likely to tell you anything
r
worthwhile. Indeed, many are, by policy, trained to only confirm the
r
applicant’s dates of employment, fearing a legal liability if they say
r
anything else. Instead, do a little Web surfing or phone sleuthing to
r
track down the line supervisors – or even the applicant’s co-workers.
r
They worked with the applicant, and will likely give more solid skinny
r
on what he or she is like.
r
r
Understand the limitations of deploying a
r
single, isolated technology: Biometrics is the security flavor of the
r
month, but, like many technologies, they’re hardly a “be all end all”
r
solution. Instead, they need to be incorporated into a broader plan -
r
one that involves real, live human beings as well as other
r
techno-tools. “Biometric systems can be useful for security purposes,
r
but there are limitations,” says Troy Smith, senior vice president and
r
IT security consulting practice leader from New York-based Marsh Inc. (marshriskconsulting.com),
r
which consults with hosts and other companies on security risks. “They
r
are only effective if the people who are monitoring and managing them
r
are well trained and conscientious. And they need to be integrated with
r
the rest of the security infrastructure, such as tilt/pan/zoom cameras,
r
guard station consoles and HR systems, among other needs.”
r
Consider limiting the 24/7, everywhere,
r
anywhere access to your shop: With laptops, wireless networks, home
r
computers with high-speed internet connections, personal digital
r
assistants and pocket devices, tech employees are given complete and
r
total access to their workplaces because of the real-time demand
r
pressures. “The thought that one lone employee has the ability to
r
control the entire hosting operation from the basement of his or her
r
home should give management pause for concern,” Neuberger says.
r
“Frequently, because of the need for hosting to be around the clock,
r
companies actually make the problem worse by enhancing the ability of
r
the employee to work remotely. An obvious solution is simply to require
r
that all fixes to the system be performed at the company’s facility,
r
where additional layers of security like access control, visitor logs,
r
or the fact that other people are there watching will check the actions
r
of a potential rogue hosting employee.”
r
