Defending Against the Internal Security Threat
By Dennis McCafferty
March 18, 2004 -- (WEB HOST INDUSTRY REVIEW) -- When it comes to security breaches, Web hosting companies are in the hot seat - especially if a potential abuser happens to be someone they just hired. After all, placing them in a data center with access to so many client companies with so much information, well, it's like hiring a prescription junkie to manage the neighborhood CVS.
Of course, this won't happen at your shop. Or will it? The issues over hiring and appropriate due diligence are complex. How much is enough? Do you bear the same scrutiny for contractual hires as you do full-timers? What kind of logging on/access policies do you incorporate? What level of employee monitoring do you deploy?
With this in mind, WHIR consulted with a broad sampling of industry experts. Here are the harsh realities, and the advice they urge Web hosting companies to consider:
Yes, you can be sued based upon what your employee does. Let's say that after you've put your new hire through orientation, given him his biometrically enhanced ID card and showed him the employee volleyball court, he decides to say 'thank you' by hacking into your clients' sites. Nice, huh? And what's nicer is that your company could end up in as much legal hot water as your new hire. If your background check is found lacking, your company could end up paying a heavy price, in addition to losing customers.
"There is a concept in employment law known as negligent hiring," says Mark J. Neuberger, a law partner in the Miami office of Buchanan Ingersoll PC (bipc.com) who consults with Web hosting companies on hiring practices. "If a Web host hires an employee who'd have access to a banking client's account numbers and starts using the information to defraud customers, and the employee recently got out of prison for fraud, the defrauded customers and client can sue the Web host. They can argue that if the Web host had checked, they would have discovered the prior criminal record." These days, four out of five companies perform pre-employment criminal background checks, according to industry research, up from just over half in 1996.
No, you never really can do too much: At Fayetteville, NC-based host Advanced Internet Technologies Inc. (ait.com), CEO Clarence Briggs is a former Army major, and more than 70 percent of his 130 employees also have military backgrounds. So this operation tends to be a stickler for detail; every candidate hired is put through a considerable screening process. There are background checks, reference calls, a mandatory drug screening - even credit history reports if needed. "Internal threats are ignored at corporate peril," Briggs says. "Who better to screw up a company's systems that someone who's inside? Someone who knows them, and knows potential weaknesses." In addition, AIT regularly monitors Internet surfing activity, and checks to see if personal e-mail addresses are being used as repositories for sensitive company information. It also employs security guards who physically check items/belongings of every person entering and exiting the building.
Get IT people in on the interviewing process: The interview should hardly begin and end at the HR-level. If it's IT you're hiring, it's IT people you need in on the process. They're the ones who can ask the right questions about a candidate's background, education, training and prior work experience, Neuberger says. It's your IT people who are best in position to sniff out any claims that don't pass the smell test.
The contractual hire is potentially just as troublesome as the full-time newcomer: A bad hire is a bad hire, contractual or full-time. Either way, they can cause as much damage to a Web host as Janet Jackson (a temporary hire, for certain) did to CBS, MTV and the NFL during the Super Bowl. A Web hosting company has potentially the same kind of reach - and responsibility. "The same exposure exists," says Richard Seldon, president of New York-based Sterling Testing Systems Inc. (sterlingtesting.com), which conducts pre-hiring screening for Web hosts and other IT and non-IT based companies. "The mindset that a Web host must have is this: 'If we ever have to go to a judge and jury and explain our hiring practices, is what we're doing considered fair and reasonable within our industry?' In other words, you need to make the case that, if something bad happens, that you did everything you could to screen your employees, whether contractual or full-time, and that the event could not be foreseen or otherwise linked to negligence on your part."
Briggs also looks to see if the contractual candidate has worked for multiple IT companies. "Who is to say that someone who's been with Company A didn't share intelligence with Company B or C," he says. "A bit of healthy suspicion can go a long way toward minimizing a company's exposure."
Simple steps can go a long way: Reference checking is crucial, just as much today as it was 200 years ago. But, these days, you have more tools on hand to do so. "Checking someone's background can be as easy as a Google search," Neuberger says. "You'd be amazed at what turns up. And it's useful information, because, these days, employees making less than $100,000 a year have the power to destroy a Web hosting operation." Also, avoid the applicant's current/past HR department, where contacts have no 'real' experience with the applicant and, besides, aren't likely to tell you anything worthwhile. Indeed, many are, by policy, trained to only confirm the applicant's dates of employment, fearing a legal liability if they say anything else. Instead, do a little Web surfing or phone sleuthing to track down the line supervisors - or even the applicant's co-workers. They worked with the applicant, and will likely give more solid skinny on what he or she is like.
Understand the limitations of deploying a single, isolated technology: Biometrics is the security flavor of the month, but, like many technologies, they're hardly a "be all end all" solution. Instead, they need to be incorporated into a broader plan - one that involves real, live human beings as well as other techno-tools. "Biometric systems can be useful for security purposes, but there are limitations," says Troy Smith, senior vice president and IT security consulting practice leader from New York-based Marsh Inc. (marshriskconsulting.com), which consults with hosts and other companies on security risks. "They are only effective if the people who are monitoring and managing them are well trained and conscientious. And they need to be integrated with the rest of the security infrastructure, such as tilt/pan/zoom cameras, guard station consoles and HR systems, among other needs."
Consider limiting the 24/7, everywhere, anywhere access to your shop: With laptops, wireless networks, home computers with high-speed internet connections, personal digital assistants and pocket devices, tech employees are given complete and total access to their workplaces because of the real-time demand pressures. "The thought that one lone employee has the ability to control the entire hosting operation from the basement of his or her home should give management pause for concern," Neuberger says. "Frequently, because of the need for hosting to be around the clock, companies actually make the problem worse by enhancing the ability of the employee to work remotely. An obvious solution is simply to require that all fixes to the system be performed at the company's facility, where additional layers of security like access control, visitor logs, or the fact that other people are there watching will check the actions of a potential rogue hosting employee."
thewhir.com
steve |
