"Thumb drives make it so easy for someone to download a copy of anything and just walk out with it. We can't catch that before it happens; we can't turn the USB drives off without debilitating other valid functions of the drives," he explains. "It is critical for us to keep client data confidential and it's a very touchy area when the potential of leaks occurs."
Ganzon doesn't necessarily believe users intentionally put the network, the company and its clients at risk, but when working to get their jobs done they may sidestep certain security policies without considering the potential repercussions. "If that data is lost or stolen, well, people just don't understand the risk they pose at times," he says.
Christ Majauckas agrees. The computer technology manager for Metrocorp Publications in Boston says users in some cases believe they are following the policies yet continue to pose significant risk with their actions. For instance, one of his security pet peeves is users who download e-mail attachments from personal accounts while logged on to the corporate network via their company PC.
"Downloading e-mail attachments from personal e-mail is one of the main sources for virus attack," Majauckas says. "If they use corporate mail, we check that for viruses. But they think it's better not to use corporate e-mail for personal use, so instead they open the mail in such a way that we can't scan for viruses. I am not going to rely on Google to check for viruses on my network."
For Koie Smith, IT administrator at Jackson, Tenn., law firm Rainey, Kizer, Reviere & Bell, users trolling the Internet and visiting personal sites such as MySpace or FaceBook represent a big risk, so much so that he uses a Linux-based proxy server called Squid for content filtering and to shut down access to those sites. For one, he is quite certain the sites aren't being used for work purposes and on top of that, Smith says he finds those sites and others are ripe with spyware ready to latch onto his corporate network.
"Even though we need the Internet for productivity reasons, browsing the Web is obviously a concern because users can pull down spyware or a virus. Without adequate protections on the computer -- or even in some cases when there is -- viruses in the wild can still cripple your network by one user browsing to a site they shouldn't be going to," Smith says. He adds that the content filtering also serves to protect the user and organization legally. "There are things our company can't have happening in the work place, and unrestricted Web browsing opens the door for that."
More education required
Bruce Bonsall, CISO at MassMutual Financial Group in Massachusetts, worries most about the intertwined work and home life of most corporate employees that leaves networks open to security holes and employees vulnerable to attacks. He says he also gets concerned when a user population isn't as educated about security policies or potential threats as they should be.
"It's not realistic for me to think that people are going to stop mixing their personal and work lives. We have to rely on them to practice good hygiene when opening links and try to prevent all the sewage that is out there from backing up into corporate networks," Bonsall says.
For him, targeted attacks such as phishing and whaling concern him because they could take advantage of users not keeping up with corporate education efforts. He says technologies such as network access control and security information management (compare products in the Security Information Management Buyer's Guide) can help protect the network, but only to a certain degree. As attacks get more sophisticated, user education is the only option.
"The bad guys are going after high network staff and senior executives, which is very disturbing. The more information they use that relates to the target, the more likely someone will get tricked, even savvy end users," Bonsall says.