Jon Collins, Computing
Freeform Dynamics recently researched business attitudes to security threats and identified a number of organisations that are leading the way in terms of mitigating risks – as well as a few laggards. But before looking at any lessons these security leaders can impart, it is worth examining exactly what it is they are securing their systems against.
Threats to IT security come in a variety of forms, including:
Confidentiality breach. Customer data is a corporate asset and it can be damaging if it falls into the wrong hands. With layoffs so prevalent at the moment, firms must be alert to the risk of disgruntled ex-employees walking away with confidential business data.
Breach of regulations. Even if there is no direct business risk, inadequate data protection can lead to an organisation being in breach of government regulations or corporate standards.
Fraudulent use. An example of this is when an unauthorised person accesses a company system with the aim of trying to pass themselves off as a representative of that company. One recent example that we came across was where two businesspeople working for a small organisation fell out, leading one to quit the company. He then sent anonymous emails to his previous employer’s customers advising that they should stop doing business with the company.
Industrial espionage. This does not have to be big and clever, as in the case of stealing the design of a new drug or Formula 1 car. Sometimes something as seemingly trivial as the theft of a price list can be enough to have a devastating effect on a company.
User error. Computers need to be protected not just from malice but incompetence. “There’s no patch for stupidity,” as hacker-turned-security-guru Kevin Mitnick is reputed to have said.
So what exactly can we learn from the security leaders that we identified in our research? First and foremost, there is no substitute for having a comprehensive security policy in place. It’s important to stress that we are not suggesting every organisation should be able to jump through all the necessary hoops to implement a comprehensive security policy. Not immediately, anyway. What our research does suggest, however, is that organisations should implement the minimum necessary, with emphasis on the word necessary.
Policy rules should be tailored to the specific needs of the organisation, and be crafted in such a way that there is a good chance that they will actually be implemented. For example, such rules as “always have a PIN on a phone” or “use an eight-character password” are not onerous.
Policy setting should be combined with awareness training. Having conducted such exercises myself, I can vouch for the effectiveness of explaining to employees why they should look after their data, for example, and how the business might be at risk otherwise. Such awareness training can serve to improve an organisation’s general understanding of the threats it faces, and what mechanisms exist to mitigate them before spending a penny on supporting technology.
It is with no sense of irony that I point out the contradiction between security being treated by the business as a technical issue, and the fact that its roots lie in business risk mitigation. When we have researched risk management more broadly, what has come out very clearly is that the lines of business are best geared up to assess their own risks, rather than having IT second guess what these may be.
Involving the business also goes towards solving another contentious issue in IT security, that of circumvention. It can be all very well, for example, to implement access control mechanisms or secure virtual private networks to ensure that information has maximum protection. However, if such mechanisms are too onerous, employees and senior staff alike will try to get round them. Often this can be for good reason – if the mechanisms themselves are preventing honest business being done, they have become part of the problem.
This further strengthens the case for ensuring that business leaders, rather than IT, take ownership of security. Like it or not, deciding what is necessary has to be a business matter. Get this right, and things become easier.