Privacy breaches occur as often from within an organization as they do from outside it; user authentication methods can help reduce the damage.
Posted Sep 30, 2005
Unattended computers pose as significant a threat to businesses as do outsider hackers, according to a new Gartner report, "Set Timeouts to Stop Abuse of Unattended PCs." A significant number of unauthorized accesses occur when someone sits down at another user's computer, facilitating access to sensitive data and bogus email messages, according to the report. Threats include unauthorized access to personnel data like salary information; unauthorized access to business information--even making changes to that information (it can mean covering up fraud and increasing bonuses or commissions by altering sales numbers). Another threat is the ability to bypass approval processes and employee access levels by using a superior's computer.
"The excuse [that] 'someone else must have sat at my PC' has become...typical," says Jay Heiser, research vice president at Gartner. "That said, proving that this was the case is often challenging. Organizations are protecting their systems and personnel against external security threats, but failing to realize the very real risk that exists internally from something as basic as an unattended PC."
"Unattended PCs represent the computer security equivalent of low-hanging fruit," Heiser says. "Sending emails in another person's name, even though it's done as a harmless prank, could have huge consequences. Something simple like that can lead to a major security breach, such as customer information."
The threat of such risks can be mitigated if users could be relied upon to log out or lock their computers when they leave their desks, according to Heiser. A timeout limits the window of opportunity for the misuse of a user's active session. The disadvantage is that timeout standards lead to complaints from users about the inconvenience, though such resistance is lessened when they are informed that they can be held accountable for computer misuse originating from their usernames.
Other technical solutions to this problem include authentication methods that incorporate proximity tokens that users wear around their necks and automatically log them out or lock the computer when they get too far away. These tokens work when computers are used to access critical applications, such as customer databases at hospitals and clinics. Heiser says: "There is little point in implementing some sort of sophisticated identity and access management system unless you can ensure that when people are logged in to systems, they stay at their PCs and ensure that they're secure when they leave."
The Top Three Business Security Threats
McAfee Is First in Business Security