Employees First Line of Defense Against Hacking

If your company gets hacked, it may very well be your fault, and if your bank account gets broken into by digital thieves, you might be to blame too.

The question, though, is whether you'll ever actually be punished for your transgressions.

Digital security in 2011 is about users just as much as providers. The most well-prepared company cannot prevent an employee from carelessly leaving his laptop open and unlocked in a coffee shop and the most secure bank cannot stop gullible customers from answering suspicious-looking e-mails.

That is why blame is increasingly being shifted to end-users and why companies are pushing staff and customers to be better educated about risk and self-defense.

``Some of this ... is really day in, day out stuff for security people, but for the average person it's like Houdini,'' said Kevin Mitnick, once one of the country's best-known hackers and now a security consultant with a series of best-selling books to his credit.

In many ways companies have no choice but to shift responsibility to their staff. Aside from the challenges of overhauling information technology (IT) infrastructure, insurers increasingly want to see that companies have robust policies in place that go beyond computer hardware.

``IT can't just be IT, it has to be HR (human resources). Does HR train new employees on what data they can have access to? Do they change their passwords?'' said Kevin Kalinich, national managing director of professional risk solutions for insurance brokerage Aon Corp. ``It's got to be the whole company's policies and procedures.''

There are consequences for companies that do not follow through. Tracey Vispoli, a senior vice president at insurer Chubb Corp, said she has seen policies that exclude any losses that stem from unencrypted laptops and others that exclude losses if companies have not applied software updates.


Experts in the field say there is a disconnect between claimed expertise and actual ability, one that means many organizations are much more vulnerable than they realize.

``In many ways cybersecurity is similar to 19th century medicine -- a growing field dealing with real threats with lots of self-taught practitioners only some of whom know what they are doing,'' the Center for Strategic & International Studies said in a July 2010 white paper.

Everyone in the field agrees training is crucial, but even that has its limits. There is only so much a company can do, even with best practices such as interactive online training, daily tips and ``inoculation'' exercises to test defenses.

According to one expert, companies have 90 days from the time the organization becomes widely aware of a breach to start better training staff, otherwise security awareness drops right back to where it was. And even then, he said, the best training has its limits.

``If you do an elegant job at getting your users really sensitive to this stuff, you will still be beaten by the sophisticated social engineering types,'' said Alan Paller, director of research at the SANS Institute and a former member of the National Infrastructure Assurance Council.


Recent court cases illustrate the example that end users have to be more vigilant.

A U.S. magistrate judge in Maine recently recommended dismissing a lawsuit by a construction company against its bank over hundreds of thousands of dollars stolen from its account.

The company fell victim to a virus that let hackers get its online banking information. It later sued the bank, arguing the bank's systems should have caught and blocked the suspicious transactions. But the magistrate ruled that the company had agreed to the bank's procedures.

The ruling puts the onus of keeping information secure on companies rather than banks. Patco Construction co-owner Mark Patterson said that is hard to do for a small business, especially when it means monitoring employee web surfing.

``For a big company, you can dedicate resources for Internet police. We're 22 people and there's probably 15 in the office. Most small business don't have the resources to fight this,'' he said in an interview.

Patterson said his employees now update their computer programs once a month and the company has completely stopped using online transactions. The company also raised its fraud insurance coverage to $300,000 from $10,000.

Aside from the financial consequences, though, there is less clear evidence about what happens to employees when their actions lead to a breach of some kind.

On technology job boards, such as those at IT jobs site Dice.com, there are active discussions about whether and why people get fired for security breaches. For all the questions, there are few clear answers.

Some employers make the threat clear. At one time, AOL Inc told new employees on their first morning on the job they could be fired for leaving a workstation unlocked. Mutual fund giant Fidelity Investments has had security guards conduct predawn desk checks for unlocked drawers. The Texas comptroller's office fired multiple people after a data breach was revealed earlier this year.

Yet employment lawyers say the threat rarely meets reality.

``If you are careless or negligent, generally in the first instance, that is not something in the labor union context that would warrant or justify a discharge,'' said David Gregory, executive director of the Center for Labor and Employment Law at St. John's University.

Even in a nonunion shop, Gregory said, ``the employer who takes that very rigid, very brittle, very punitive look at things is I think at real risk of destabilizing morale, esprit de corps and productivity.''

Taking proactive measures is a good thing, but consultants hired by companies to make sure employees are practicing what management preaches insist there is only so much that can be done.