Unintentional (But Very Real) Internal Threats
Your employees need not be malicious to pose a danger to your enterprise.
There are two types of employees that I like to call Dennis the Menace and Alice in Wonderland. They are bright, motivated, friendly and have only the best of intentions. They can also be your worst nightmare.
Dennis, for instance, sees some problem with the production code you use for your core business. He knows theres an easy fix, it will only take five minutes, and everyone will be very glad at how much better the system runs once its fixed.
He rewrites the function, and replaces it in the module where he first identified the problem. What he fails to realize is that several other modules have dependencies and the change causes the production code to grind to a halt. Your network looks fine, everything should be working, but its not.
Certainly you dont want to be the one explaining to the CEO, CIO, or CTO what happened and why it took so long to do something about it. You also dont want to be the one responsible for informing customers about loss of data, down time and loss of revenue.
A change control process sets the framework for protecting all the parties involved. It allows for the identification and timely resolution of a snag in your code, but it also clearly identifies who is responsible for the change, and what the back out should be in case of difficulties.
In Dennis case, it also means that every time theres some difficulty, you wont be camped on his desk asking what he did this time. Hell be relieved to know that he isnt a scapegoat in bad situations.
Educating the Trusting
Then theres Alice. She will be the first to tell you shes not very technically inclined. She loves her computer, it lets her do so many things. Shes working on a novel, she thinks the world wide web is amazing for its ability to tell you everything you ever wanted to know about anything.
And she believes it all. If it comes to her in email from friends, then its obviously something she needs to see, sign, buy or try. After all, who on earth would know who she is and what her email address is?
Weve talked about this situation before, and well likely talk about it again. It is very difficult to educate the trusting to recognize the threats inherent in the virtual world. Teaching users to avoid suspicious sites sent in email and learning to recognize attempts to gain privileged information by unauthorized persons either via the web or email will go a long way to cutting down the number of compromises as the result of malicious web content.