Defending Against the Internal Security Threat

r

Defending Against the Internal Security Threat
r

r

r

By Dennis McCafferty
r

r

March 18, 2004 — (WEB HOST INDUSTRY
r

REVIEW) — When it comes to security breaches, Web hosting companies
r

are in the hot seat – especially if a potential abuser happens to be
r

someone they just hired. After all, placing them in a data center with
r

access to so many client companies with so much information, well, it’s
r

like hiring a prescription junkie to manage the neighborhood CVS.
r

Of course, this won’t happen at your
r

shop. Or will it? The issues over hiring and appropriate due diligence
r

are complex. How much is enough? Do you bear the same scrutiny for
r

contractual hires as you do full-timers? What kind of logging on/access
r

policies do you incorporate? What level of employee monitoring do you
r

deploy?
r

r

With this in mind, WHIR consulted with a
r

broad sampling of industry experts. Here are the harsh realities, and
r

the advice they urge Web hosting companies to consider:
r

r

Yes, you can be sued based upon what your
r

employee does. Let’s say that after you’ve put your new hire through
r

orientation, given him his biometrically enhanced ID card and showed
r

him the employee volleyball court, he decides to say ‘thank you’ by
r

hacking into your clients’ sites. Nice, huh? And what’s nicer is that
r

your company could end up in as much legal hot water as your new hire.
r

If your background check is found lacking, your company could end up
r

paying a heavy price, in addition to losing customers.
r

r

“There is a concept in employment law
r

known as negligent hiring,” says Mark J. Neuberger, a law partner in
r

the Miami office of Buchanan Ingersoll PC (bipc.com)
r

who consults with Web hosting companies on hiring practices. “If a Web
r

host hires an employee who’d have access to a banking client’s account
r

numbers and starts using the information to defraud customers, and the
r

employee recently got out of prison for fraud, the defrauded customers
r

and client can sue the Web host. They can argue that if the Web host
r

had checked, they would have discovered the prior criminal record.”
r

These days, four out of five companies perform pre-employment criminal
r

background checks, according to industry research, up from just over
r

half in 1996.
r

r

No, you never really can do too much: At Fayetteville, NC-based host Advanced Internet Technologies Inc. (ait.com),
r

CEO Clarence Briggs is a former Army major, and more than 70 percent of
r

his 130 employees also have military backgrounds. So this operation
r

tends to be a stickler for detail; every candidate hired is put through
r

a considerable screening process. There are background checks,
r

reference calls, a mandatory drug screening – even credit history
r

reports if needed. “Internal threats are ignored at corporate peril,”
r

Briggs says. “Who better to screw up a company’s systems that someone
r

who’s inside? Someone who knows them, and knows potential weaknesses.”
r

In addition, AIT regularly monitors Internet surfing activity, and
r

checks to see if personal e-mail addresses are being used as
r

repositories for sensitive company information. It also employs
r

security guards who physically check items/belongings of every person
r

entering and exiting the building.
r

Get IT people in on the interviewing
r

process: The interview should hardly begin and end at the HR-level. If
r

it’s IT you’re hiring, it’s IT people you need in on the process.
r

They’re the ones who can ask the right questions about a candidate’s
r

background, education, training and prior work experience, Neuberger
r

says. It’s your IT people who are best in position to sniff out any
r

claims that don’t pass the smell test.
r

r

The contractual hire is potentially just
r

as troublesome as the full-time newcomer: A bad hire is a bad hire,
r

contractual or full-time. Either way, they can cause as much damage to
r

a Web host as Janet Jackson (a temporary hire, for certain) did to CBS,
r

MTV and the NFL during the Super Bowl. A Web hosting company has
r

potentially the same kind of reach – and responsibility. “The same
r

exposure exists,” says Richard Seldon, president of New York-based
r

Sterling Testing Systems Inc. (sterlingtesting.com),
r

which conducts pre-hiring screening for Web hosts and other IT and
r

non-IT based companies. “The mindset that a Web host must have is this:
r

‘If we ever have to go to a judge and jury and explain our hiring
r

practices, is what we’re doing considered fair and reasonable within
r

our industry?’ In other words, you need to make the case that, if
r

something bad happens, that you did everything you could to screen your
r

employees, whether contractual or full-time, and that the event could
r

not be foreseen or otherwise linked to negligence on your part.”
r

r

Briggs also looks to see if the
r

contractual candidate has worked for multiple IT companies. “Who is to
r

say that someone who’s been with Company A didn’t share intelligence
r

with Company B or C,” he says. “A bit of healthy suspicion can go a
r

long way toward minimizing a company’s exposure.”
r

r

Simple steps can go a long way: Reference
r

checking is crucial, just as much today as it was 200 years ago. But,
r

these days, you have more tools on hand to do so. “Checking someone’s
r

background can be as easy as a Google search,” Neuberger says. “You’d
r

be amazed at what turns up. And it’s useful information, because, these
r

days, employees making less than $100,000 a year have the power to
r

destroy a Web hosting operation.” Also, avoid the applicant’s
r

current/past HR department, where contacts have no ‘real’ experience
r

with the applicant and, besides, aren’t likely to tell you anything
r

worthwhile. Indeed, many are, by policy, trained to only confirm the
r

applicant’s dates of employment, fearing a legal liability if they say
r

anything else. Instead, do a little Web surfing or phone sleuthing to
r

track down the line supervisors – or even the applicant’s co-workers.
r

They worked with the applicant, and will likely give more solid skinny
r

on what he or she is like.
r

r

Understand the limitations of deploying a
r

single, isolated technology: Biometrics is the security flavor of the
r

month, but, like many technologies, they’re hardly a “be all end all”
r

solution. Instead, they need to be incorporated into a broader plan -
r

one that involves real, live human beings as well as other
r

techno-tools. “Biometric systems can be useful for security purposes,
r

but there are limitations,” says Troy Smith, senior vice president and
r

IT security consulting practice leader from New York-based Marsh Inc. (marshriskconsulting.com),
r

which consults with hosts and other companies on security risks. “They
r

are only effective if the people who are monitoring and managing them
r

are well trained and conscientious. And they need to be integrated with
r

the rest of the security infrastructure, such as tilt/pan/zoom cameras,
r

guard station consoles and HR systems, among other needs.”
r

Consider limiting the 24/7, everywhere,
r

anywhere access to your shop: With laptops, wireless networks, home
r

computers with high-speed internet connections, personal digital
r

assistants and pocket devices, tech employees are given complete and
r

total access to their workplaces because of the real-time demand
r

pressures. “The thought that one lone employee has the ability to
r

control the entire hosting operation from the basement of his or her
r

home should give management pause for concern,” Neuberger says.
r

“Frequently, because of the need for hosting to be around the clock,
r

companies actually make the problem worse by enhancing the ability of
r

the employee to work remotely. An obvious solution is simply to require
r

that all fixes to the system be performed at the company’s facility,
r

where additional layers of security like access control, visitor logs,
r

or the fact that other people are there watching will check the actions
r

of a potential rogue hosting employee.”
r

No related posts.