The human firewall

A help desk worker at a large company fields the next in a never-ending rush of calls from another breathless, overwrought employee. The caller is desperate for his e-mail and network passwords, which he claims to have forgotten. The staffer gives in and hands over the goods - worn down by tales of the rotten day the employee is having.

Having tricked the help desk staffer, the intruder proceeds to waltz through the company's firewall and wreak havoc.

Giving out sensitive data to people without first authenticating their identity and access privileges is one of the most common and worst mistakes employees can make. Allowing a stranger inside an organization without authorization is yet another example of a broken link in the human firewall chain.

According to an example the International Organization for Standardization cites, a former contract programmer at a financial institution easily got past security because guards simply recognized him and waved him in. Once inside, he posed as a computer consultant doing an audit and interrogated an employee, who believed he was supposed to provide the data that was demanded.

This con tricked another employee into verifying information that he eventually used to transfer $10.2 million from the company's bank to a Swiss account. The thief couldn't have committed his crime without the unwitting complicity of at least three employees who breached security by allowing him into the building and giving him network and database access.

According to a Computer Security Institute/FBI study of more than 500 U.S. security managers, 90% say they suffered breaches in 2001. The most serious financial losses occurred through theft of proprietary information and financial fraud, crimes associated with breaches in corporate security policies and weaknesses in human firewalls. The survey adds that 50% of the attacks came from employees, including contractors, working inside organizations.

Warren Moore, senior director of information security at Convergys in Cincinnati, says, "With human firewalling . . . really what you're talking about is changing corporate cultures. People want to be helpful, but that's the way intruders can get inside. You need to establish policies and educate employees."

But according to the Human Firewall Council, an international organization founded in 2001 to help security directors define policies, far too many organizations are neither training their employees to prevent breaches nor investing strategically in security.

In a study published in February, the council analyzed responses from more than 1,000 organizations and found that eight of 10 survey respondents had not implemented even minimal security management practices.

Even in industries such as financial services and healthcare, and government agencies, where security practices are federally mandated, little more than half of surveyed organizations had defined security management practices.