Users are the weakest link, security experts warn

Computerworld - Companies that would have trouble compiling a list of their networks' users and detailing the level of access that those users have don't know who is on their network and are sitting ducks for cybersabotage, a group of industry experts said today.

Weak user passwords, inconsistent policy enforcement and lackadaisical user access management have made corporate network users the No. 1 cyberthreat to sensitive business data, said experts during a live webcast today sponsored by Irvine, Calif.-based Access360, a company that specializes in resource-provisioning management.

"The user, while juggling even more IDs and passwords in today's environment, continues to be the weakest link," said Mark Ford, an analyst at the Secure eBusiness Group at Deloitte & Touche LLP in New York. "We must gain control of the weakest link before we end up in an identity crisis."

For example, dormant user accounts and accounts belonging to users who are no longer employed by a company are "the classic problem for cybersabotage," said Brian Anderson, chief marketing officer at Access360. "Those are the equivalent of locking the door but leaving the window open."

10 Steps to Prevent Cybersabotage 1. Act, don't react. Establish a reliable system for assigning access rights for critical company data resources. 2. Identify dormant user IDs and orphaned accounts. 3. Automate communications between IT, human resources and other departments. Link all who are responsible for granting access rights in departments. 4. Define "need to know." You can't assume that everybody should have access to everything. 5. Don't forget the sharing factor. Passwords get passed around. 6. Reset passwords regularly. 7. Make nondisclosure policies routine. These contracts should be brought to the attention of employees and business partners once a year. 8. Suspend terminated IDs. 9. Reconcile active IDs with reality. 10. Operate out of opportunity rather than fear. Source: Access360, Irvine, Calif.

The problem, said Mike Hager, vice president of Network Security and Disaster Recovery at New York-based Oppenheimer Funds Inc., is that corporations have spent about 80% of their security dollars to protect against outside threats when, in fact, 80% of all attacks come from the inside. The misdirection of resources has led to misperceptions about cyberthreats among senior executives, said Hager. "If we don't educate senior management about what the real threats are [then] we don't get support from them," said Hager. "That's the No. 1 threat."