Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of September 2005 

[an error occurred while processing this directive]

 Home > Vendor Voice
 Print Friendly Page ||  Email this story

Tackling threats to the organisation

Knowledge about various threats to your business is a good first step towards preventing them. Here are a few instances of internal and external threats that a CIO should look out for. by Narayan Sau.

A threat is a potential occurrence that can have an undesirable effect on the system’s assets or resources and is a danger that may have undesirable consequences. Internal security attacks can be either malicious or inadvertent in nature. Regardless of what prompts an internal security breach, one thing is certain: the impact of internal security issues has negative repercussions on an organisation from a technical and a business perspective.

Awareness of information security continues to grow with new reports of hackers, organised crime, fringe groups, internal espionage and even terrorists exploiting technology for their own profit and motives. Many enterprises have suffered losses that can no longer be considered a part of the cost of doing business.


As businesses venture into e-commerce, the need for secure networks is imperative. Banking and telecommunications are dependent on the availability of reliable and secure networks. As network connectivity increases at a rate beyond the capacity to implement controls, market pressures on hardware and software vendors reduce the introduction of security features and testing prior to products being released. Retrofitting security into existing systems and applications is difficult, expensive, and, in some cases, impossible without serious operational impact.

Few organisations understand and qualify specific threats in order to evaluate risks accurately. The consequences can be extreme. Not only are some threats overlooked, but also resources and budgets are misapplied to threats that do not exist or have a minimal impact.


The technology is changing faster than traditional risk assessment models can adapt to a new working environment. Organisations are not only increasing the size of their networks by adding more systems, they are also adding new dimensions of connectivity and complexity. Back-end business processes such as suppliers, contractors and partners, and front-end processes such as clients and customers are increasingly integrated into a seamless network.

To make matters worse, the inherently insecure Internet and underlying telecommunications infrastructure are the de facto standard when it comes to providing connectivity.


They are top priority in terms of security concerns. The definition of internal threats is broadening. It is no longer about the disgruntled and dissatisfied employee within the company who misuses confidential information. It’s also where users are accessing systems and data. It is fairly easy to create a small piece of software that will attack the internal network once it is planted on any computer system within the corporate network. Distributing the programme can be done by anyone without any special computer skills. In most cases, the person who installs the malicious software is not aware of it.


Once a malicious programme has been installed, it can cause harm in various ways. The most typical mechanisms are:

  • Gaining user access and pretending to be a legitimate user taking action.
  • Capturing confidential data for industrial espionage or other purposes.
  • Destroying corporate data to do financial damage.
  • Causing network and system shortages to paralyse the company’s operations.


Security threats arising from within are increasing the operational risks of businesses. There may be a loss of reputation in the esteem of customers, partners and investors. There may also be a risk of business interruption and violation of legal and regulatory requirements to protect sensitive customer information. Two other factors are:

  • Unauthorised access to information where access includes disclosure, modification and destruction.
  • Unauthorised users, i.e. individuals who have not been granted the right to access the system.


Social engineering is being used to obtain confidential information by manipulating legitimate users. It is a new type of internal attack similar to ‘phishing’ in which a malicious insider—with access to company information—tricks other users into providing access to restricted information.

Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. These malcontents will search dumpsters or take advantage of people’s natural inclination to choose passwords that are meaningful to them (like a close relative’s name or date of birth, or names of gods and goddesses) but can be easily guessed. Social engineering remains a key threat to any security system.


There may be loss of data, data corruption, and backup failures which lead to business losses.

There may also be embezzlement and theft of Call Detail Records (CDRs). At telcos, internal users sometimes bypass the usage record from billing for some subscribers by deleting the CDRs from the database or by changing the programme to overlook those subscribers.


There may be identity theft of a customer’s valuable information such as credit card information, address and date of birth.

Identity theft and fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain. 

Information used in biometrics (face image, palm print, hand geometry, fingerprint, iris/retina scan, voice recognition and handwriting) are unique to a person and cannot be given to someone else for their use. However, personal data, especially a bank account or credit card number, telephone calling card number, and other valuable identity data can be used by the wrong people for malicious purposes.


Browsing Web sites and using Web-based e-mail can seem an innocent activity to the user, but both activities can disrupt normal business activity. There are viruses (e.g. Choke virus) that are specifically aimed at Instant Messaging (IM) systems. Anti-virus tools at the gateway do not detect IM, so infected files can seep into the desktop and then into the network. Also, listening to music leads to a threat from passive viruses.

Sometimes, when a company’s log book or notebook is lost, some important information may be at risk.


External threats are mixed threats that combine multiple characteristics such as worm, virus, spam and denial of service (DoS). Everyday, hundreds of new ways are discovered by intruders and hackers. There are more than 30,000 hacking-oriented Web sites, so it no longer needs a ‘guru’ to hack a site.

Here are some of the common external threats.

  • DoS: An attacker may try to flood the system with a large number of messages, causing a system overload and possibly leading to a denial of service situation where users are unable to access the service.
  • Intercept messages: An attacker may intercept and read the content of messages (including the message origin and final destination, arrival and departure order and time) exchanged by users.
  • Viruses and worms: These originate from outside sources, either targeted at the company or randomly spread on the network through users or the Internet. It leads to situations such as Web site defacement, and nasty viruses and worms that tunnel their way into a network and destroy or alter data and applications, and monopolise system resources by duplicating and spreading themselves.
  • System disruption: Damage or destruction of physical environment due to fire, political violence and earthquakes.


CIOs should give the above internal and external threats the highest priority in their organisations and devise the necessary strategies and policies to counter them. There are many challenges ahead, but only a well-informed CIO can successfully understand threats, prioritise risks, and remedy the situation.

The author works with Amdocs Inc, US

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.