Tougher Times Ahead

Economic downturn may lead to increased security risks

• By Megan Weadock
• Mar 01, 2009

With millions of U.S. jobs lost since last year at this time, the country seems to have resigned itself to hunkering down for the recession––possibly for years to come.

But certain industries shouldn’t get too caught up in all the belt-tightening. An increase in security risk and vulnerability may be one of the lesser-known side effects of economic struggles.

Heightened Risks
Rapid7 is a vulnerability assessment and management company that helps businesses evaluate and minimize exposure. Corey E. Thomas, the vice president of product management and marketing for the company, said there are three main reasons why security risks often increase during a recession: overall crime tends to increase and cyber-crime will probably follow this trend; given scarce funds, organizations focus less investment in security control; and, perhaps most importantly, there is a significantly higher chance of insider security risks and successful social engineering attacks due to layoffs, reduced employee training and decreased employee satisfaction.

Thomas explained that a social engineering attack occurs when hackers target employees and former employees to covertly retrieve sensitive information. Less likely is a direct attack by former employees, which is still a fast-growing area of Web and database attacks, he said.

“This is even more likely when organizations have poor exit policies and procedures,” Thomas said. “Even those that do have good practices for normal circumstances can experience difficulty in the case of mass layoffs.

“Many hackers target Web sites, and many organizations are likely to cut spending on Web development without cutting the amount of work, therefore, resulting in code that is likely to be less secure.”

Industries that deal with sensitive data face the greatest risk. Retail and healthcare organizations, for example, should be particularly cautious. In these types of businesses, employees and ex-employees could very easily expose vital information without knowing it.

Employees Fight Back
Although Thomas stresses that the greatest threat does not come from inside a company, a recent survey suggests companies should still be vigilant of current employees. “The Global Recession and its Effect on Work Ethics,” completed by IT security data company Cyber-Ark Software, found that more than one-third of 600 office workers polled admitted to conspiring behind their bosses’ backs to download vital, useful and competitive information to take with them if they get fired.

Not surprisingly, 56 percent of the workers said they were worried about losing their jobs. However, in preparation, more than half of them said they’ve already downloaded competitive corporate data and plan to use the information as a negotiation tool when looking for a new job.

According to the survey, customer and contact databases, plans and proposals, product information and access/password codes were seen as the most useful information to take away from a job.

“In these dark days, the instinct is to look out for No. 1,” said Adam Bosnian, vice president of products, strategy and sales of Cyber-Ark, in a press release. “If times get hard, companies need to ensure that any cutbacks aren’t deeper than expected when stolen data unexpectedly eradicates any chance of survival—our advice is to only allow access to sensitive information to those that really need it, lock it away in a digital vault and encrypt the really sensitive data.”

Whether a company’s employees knowingly take information with them or are victims of a social engineering attack, it’s clear that a company’s own employees are one of the greatest threats during a recession. That’s why, Thomas said, organizations should prepare as much as possible for these types of attacks.

Assess and Prepare
Rapid7 advises companies to follow a set of best practices to minimize their risk during times of economic turmoil.

First, a company should assess its security investments to ensure that it has the capacity to respond to both current and emerging threats. Next, ensure that the organization has an ongoing method to track its attack surface, so vulnerabilities don’t increase after a cut in IT or development resources. In advance of major layoffs, review and update exit policies and procedures and consider a tiered approach with more stringent safeguards for higher-risk exits.

Thomas said companies also should perform internal and external penetration tests to understand the ability of hackers and rogue employees to gain access to restricted data; deploy systems to track and manage social engineering readiness and respond to social engineering attacks; train employees on safe computing; and develop and access an audit policy that organizes who has access to what types of information and then ensure that the policy is followed.

Companies like Rapid7 can help businesses prepare for layoffs, limit their exposure and reduce the risk their vulnerable systems can have. Thomas said Rapid7 offers vulnerability management, PCI-compliance testing, penetration testing, Web application security audits, best practices consulting and social engineering training, all of which can help defend against the unforeseeable.

This article originally appeared in the issue of .