You can expect competitors to come after you. Heck, it would be almost un-American-or at least un-French-if they didn't. As far as hackers go, you're always going to find people who get a kick out of attacking systems with viruses or service overloads.

But the people you work with-the ones that share a beer with you at the company picnic-those are the ones that are hard to understand. And until you figure out that attacks are coming from the inside more often than the outside, you're going to be patching more holes in your firewall and running more tests trying to track down outside attackers who may not exist.

Enemy Yours

Blue Lance Security Software (www.bluelance.com) focuses on security from within. According to CEO Umesh Verma, internal threats are rising 10 percent per year. “Exodus Communications reported that there were $202 billion in security losses last year and 90 percent of those were done by people inside the organization,” he said. “And those were the ones willing to report losses.”

He believes companies are too focused on small matters instead of the real threats to their prosperity. “About 75 percent of U.S. firms monitor e-mail and Internet usage, but only 31 percent monitor access to computer files and applications,” he said.

Denial is the problem. Who wants to admit-to himself or to his boss-that one of his own is dishonest? Case in point: A bank that Blue Lance works with found that the term “help desk” also stood for “help yourself.” When the manager of cash management overseeing trust accounts had trouble with his PC, he innocently called the help desk, gave his user ID and password, and the technician fixed the problem.

The technician was also blessed with a good memory and later went to the company's test lab to use a computer that was not usually monitored. The technician logged on as himself and then used a cloned user ID, the manager's password, and he was in. He transferred tens of millions of dollars from the trust account, deleted the cloned ID and logged off.

“The whole process took 27 minutes,” said Verma. The first suspect was the manager, but no one believed he would be stupid enough to steal $10 million from the account he managed and then go back to work as if nothing happened. (Evidently, though, the help desk tech was that stupid.)

Fortunately for the bank, it was able to trace the transaction back to the test lab and discover that the manager had given away his password to the help desk technician. “All the manager had to do was change the ID and the password as soon as the help desk had fixed his problem, but he never got around to it,” Verma said.

The bank was able to recover most of its money and learned a valuable lesson about security. The help desk technician was fired, but he wasn't prosecuted-something all too common in such cases, according to Verma. “Companies are embarrassed and don't want to let customers know their security is so sloppy,” he said.

The only thing that keeps the technician from doing a better job of stealing in his next job is the simple statement “not for rehire” that HR issues when a prospective employer calls. “That should be a flag, but sometimes the person doing the hiring gets sold on the individual without really knowing anything about him. They make excuses to go ahead and hire someone like that. That's human resource's fault,” Verma said.

Sleeping with the Enemy

Tom Wagg, U.S. Services Delivery Manager for Integralis (www.atlantic.com) is constantly amazed at what a company finds under its own nose. Several years ago, while working as CIO for another company, Wagg discovered that a researcher in the R&D division, a man with a Ph.D., was hosting a pornography site on the company's Web site. Internet licensing people called him to inform him that the licenses were in jeopardy.

“Was I annoyed and embarrassed? Certainly. I turned off the router and told the man's bosses that until this person is dealt with, we are shut down,” Wagg said.

Integralis monitors what's happening on a company's network, and when it finds questionable activities, it keeps a closer eye on them for about 10 minutes before contacting the company. “We determine whether the intrusion is real and then contact the company to find out whether we should be worried about this activity,” Wagg said. In one case, as Integralis dug deeper into an intrusion, it discovered that someone from outside the company was using the company network as a host for a porn site. The site was shut down and the hole was plugged.

Wagg believes that a company's first reaction to unauthorized access is embarrassment. “They try not to get anything about it published,” he said. “They prefer to fix the problem, and they don't want to speak about it because they don't want to lose clients. There are whole societies out there trying to compromise computer systems.”

Enemy at the Ports

Daniel Morrison, a partner in risk consulting for Andersen (www.andersen.com), said treating security as a part-time responsibility for one of the network administrators is a big mistake. “It becomes a secondary component and consequently mistakes go undetected,” he said.

Security should be on everyone's mind, but from the examples Morrison detailed, it's apparent that making things easier for users sometimes outweighs a company's concerns. “One administrator opened ports in a live production area because a customer couldn't get access to some data,” Morrison said. “The administrator solved the problem on the fly, but didn't think of the consequences.”

Another administrator wanted to work out of his home, so he installed software on the server. While this allowed him to get his job done, it also opened the server to anyone using the same software. “It took weeks to find out it wasn't an attack from the outside,” Morrison said. “There are countless evil minds coming up with challenges for security professionals,” he said. “There is a hostile environment out there. If you are not careful who you hire, you may be hiring someone you don't want having access to your important information.”

And what do you do when it comes time to get rid of a security administrator or someone else in the IT department? “It becomes a challenge to get rid of them,” Morrison said. “If you upset them, things can start 'happening'.”

Enemy of the State

Companies must realize that there are a number of security points that can be breached. “When you buy something off the Internet, everyone thinks it is others at risk,” Verma said, “but you are giving your credit card number, the correct spelling of your name, and other valuable information to a company. Insiders with access to that data don't have to breech your system to get that data.”

Some don't even have to get into the system. One administrator told a story about going to pick up an item off a network printer and seeing a list of customers, their credit card numbers and expiration dates, and other pertinent data sitting on the printer. When no one showed up in a short time to pick up the print order, the administrator took it to the head of the sales division.

Verma makes the analogy between separation of church and state and internal security: Having your network administrator in charge of security opens the door to bigger problems. “They are powerful people in your company and you have them monitoring their own security,” he said.

But many companies can't afford a full-time security professional. “You have to examine the cost, benefit, risk, and reward,” Verma said. “For small companies, a $100,000 or $200,000 loss is just as devastating as a $20 million loss for a Fortune 1000 company.”

If there's any good news from all this it's that people stealing from the company are usually greedy, continuing with their illegal acts until they are caught. “If they had success with a small strike, it usually gets bigger,” Verma said. “Greed can be a good tool to help security.”

Tales from the front lines can be enlightening, but they aren't worth a dime if companies can't get past the denial: It'll never happen to us. It can and will happen to your company. Chances are, it's happening now. In the days of paper, you never would have left a file cabinet with your company's most vital information unlocked in the lobby of your office. Are your network files and applications any safer?