How vulnerable is your intranet to an outside attack? What is the potential damage to the company if your intranet is hacked?
If you don’t know the answer to those two questions, which could be posed at any time from either your CIO, CFO or Chief Legal Counsel, you’d better get cracking on the answers.
“Security risk assessment and security risk management have become vital tasks for security officers and IT managers,” says Caleb Sima founder and
Actually, the potential risks and threats to your organization are likely much higher than you expect. Enough to keep the CIO, CFO and CEO up at night biting their nails wondering how to handle the potential PR disaster.
Of the 556 executive interviewed in a recent Fusepoint/Sun Microsystems/Leger Marketing survey, 55% say that their confidential and private data is at risk of an attack. 55% say their confidential data is at risk!! Good lord!! This despite the fact that most consumers (58%) would immediately terminate their relationship with a company that compromised their personal information.
A recent survey reveals that business leaders believe the greatest threat is not from a malicious external attack, but rather from the hands of an uninformed employee. The research showed that 46% percent of respondents said that employees who accidentally download security-compromising viruses, spyware or adware pose a greater data security risk to a company than external agents like hackers, cited next at 40%.
Caleb Sima offers the following equation for measuring and assessing your organization’s potential risk:
Risk = Value of the Asset x Severity of the Vulnerability x
Likelihood of an Attack
“In this equation, you can provide a weighting of 1-10 (10 being the most severe or highest) for each risk factor. By multiplying the factors, it’s easy to arrive at an aggregate security risk assessment for any asset. Let’s take an everyday example: we have an e-commerce server that performs 40 percent of all customer transactions for the organization, and it has a very severe and easy-to-exploit vulnerability: E-commerce Server Risk = 10 (Value of the Asset) x 10 (Severity of the Vulnerability) x 10 (Likelihood of an Attack).”
Fortunately, according to Sima’s calculation, the intranet is at a lower threat of outside attack:
Intranet Server Risk = 2 (Value of the Asset) x 8 (Severity of the Vulnerability) x 6 (Likelihood of an Attack). The Intranet Server Risk = 96, a lower security risk assessment ranking.
However, when understanding your risk or threat to the intranet, an outside attack is not your biggest threat. Your employees are your biggest threat.
“Although media and management attention is focused on protecting external-facing sites from security threats, identity theft and other online vulnerabilities, intranets should not be overlooked,” writes Peter McKay, CEO of Watchfire in a recent Federal Times article When securing information, don’t overlook intranet. These sites can easily be compromised, and government IT executives are now realizing the need to expand security and privacy practices to agency intranets.”
If you’re a communicator, HR or marketing person responsible for the intranet then you need to ask the right questions of your IT department. First and foremost is understanding what you have, what is available to a wider audience, and what is specifically being done to secure it.”
To better secure your intranet, McKay makes several recommendations:
· Conduct an inventory of internal Web properties to better understand the Web environment. Knowing how many sites and servers you have, the technologies in use, and the technology policies and standards your agency employs will create a more secure and productive intranet environment.
· Scan your intranet with an automated solution to identify vulnerable areas, including forms that may be inconsistent with internal privacy policies or may lead to information leaks.
· Understand what employee and citizen information is being collected and published on the Internet and intranet. The intranet is used to publish sensitive information, including human resources forms and employee health care information. Full knowledge of all online data-collection methods is critical to effectively managing Web privacy.
· Understand exactly who has access to this sensitive information. Proper technology and security controls will allow employees to see only the information required to do their jobs. Often, contractors are granted access without careful consideration for all the information they may have access to.
· Consider applicable security, privacy and accessibility legislation such as the 2002 Federal Information Security Management Act, the 2002 E-Government Act and the 1998 Rehabilitation Act amendments.
RELATED ITEMS:
Email and intranet are biggest wireless threats
Securing your intranet from the inside