Inside a Security Audit: The Bad News

Review reveals employees' risky behaviors
Inside a Security Audit: The Bad News
When it comes to your employees' Internet surfing habits, what you don't know certainly can hurt you.

That's the lesson a small biopharmaceutical company learned when it hired a web auditor. The project, originally designed to investigate why Internet access was so slow, revealed numerous security threats, many tied to web surfing habits.

Using web filtering software, the auditors discovered that some of the company's PCs were infected with malware as a result of employees visiting web sites that, well, they shouldn't have. One PC was even sending small amounts of data to a Russian web site, apparently the result of a botnet attack.

The IT manager for the company, who asked to remain anonymous, has this advice to organizations of all sizes in healthcare and, for that matter, any other industry: "Don't be naive. You may think you're secure, but you really don't know what's going on in your network. We thought we were in good shape; the results of our audit were really surprising."

Timely advice

The advice could come in handy for healthcare organizations conduct security audits and risk assessments as they prepare to comply with the HITECH Act's toughened privacy and security rules. The Act requires hospitals, clinics and others to report major breaches to federal regulators.

And when it comes to keeping healthcare information private and secure and avoiding breaches, a risk management approach is far more effective than a narrower, regulatory compliance approach, says Sharon Finney, corporate data security officer for the 37-hospital Adventist Health System.

"If you look at security purely from a compliance-based approach, you may be missing a huge area of technical or administrative risk within your environment," Finney says.

Inadequate steps

For years, the small pharmaceutical company had been using such security technologies as a firewall and virus detection software. And it had educated its staff members about how to avoid security risks when surfing the Web. "But we learned that even after all that, we were still vulnerable," the IT manager says.

The pharmaceutical company recently spent about $5,000 to have Networks Unlimited, Hudson, Mass., conduct a 45-day audit of its Internet use, bringing in a server armed with web filtering software from San Diego-based Websense Inc. The software "captured every packet of data going in or out of our Internet connection," the IT manager says.

In addition to identifying security risks, the auditor helped the company determine that its staff productivity was adversely affected by the amount of time employees spent on social networking sites and other sites unrelated to their work, he adds.

As a result of the lessons learned during the audit by Networks Unlimited, Hudson, Mass., the company permanently installed the web filtering software from Websense Inc., San Diego.

No punishment

Rather than punishing any workers for their past web surfing transgressions, company executives simply informed everyone that, moving forward, all Internet traffic would be monitored as a virus-prevention strategy.

"We reminded everyone that it's OK to briefly use the Internet for personal use during break times," the IT manager says.

Building awareness of the web monitoring did the trick.

"We still get folks using social networking sites, but it's way, way down," the IT manager says. "And visits to some racy web sites that are inappropriate for a work environment have stopped, as has access to poker web sites."

The moral to the story? "End-users need to be somewhat protected from themselves," the IT manager says. "You're really only as protected as much as your end-users are trained."

Continuing education

In addition to helping identify security threats, the software is helping the company to educate its workforce. The IT manager illustrated this with a recent example.

"We're doing fundamental scientific research here, and one person is working on a reproductive health project. Websense blocked her search of one particular web site," he explains, because the site was infected with a virus. But the researcher insisted the web site was vital to her research, so the company permitted her to access it, keeping a watchful eye on the results.

Sure enough, a virus immediately infected her computer, but was quickly eliminated by the IT team.

Other steps

In addition to using the web filtering software, the pharmaceutical company is taking other steps to beef up security. For example:

  • Those who access applications remotely via a virtual private network now use two-factor authentication with hardware tokens.

  • The drug company also is increasing the complexity of its passwords "so if a virus affects a PC and conducts a brute force attack, it's much more difficult to crack the password," the IT manager says.

  • The firm is attempting to minimize the number of staff members who have administrative privileges for a particular application, because that makes their PCs a high-priority target for hackers.

The need for speed

And to help speed up Internet access, which, after all, was its original concern, the company wound up switching to a higher-speed connection. Plus, staff members are no longer allowed to use streaming media, such as to listen to music, which was slowing down access for everyone.

"A lot of the younger folks who grew up with high speed connections figure it's OK to use streaming media at work," the IT manager says. "They forget that 200 people are sharing that pipe."


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing securityintelligence.inforisktoday.com, you agree to our use of cookies.