What strategy - cultural and technological - do you recommend I
implement to safeguard the integrity of the organisation's IT
environment?
Threats from easy accessI break into a cold sweat when I think of all the
mission-critical data being carried around the globe by our
increasingly mobile sales and operational staff, and of the
security breaches this could lead to. Every day I hear horror
stories of staff members connecting mobile gizmos into our network
without our say-so. What strategy - cultural and technological - do
you recommend I implement to safeguard the integrity of the
organisation's IT environment?
Visiting professor of information systems, Brunel
University
Professor Dan Remenyi
Communicate your strategy to staff
This is primarily an IT architecture or an IT strategy issue. If
your organisation has gone to the trouble to produce either or both
of these, then it needs to communicate and enforce technology and
security standards.
The first step is to communicate clearly to the mobile staff
what standards and policies have been chosen and why. As well as
highlighting the downside risk to the organisation, you need to
stress there will be a downside risk to the careers of individuals
who do not comply.
If you don't have an IT architecture or an IT strategy, then
it's roll-up-your-sleeves-time - time to get down to thinking
through what your organisation wants to get out of its IT. This
will suggest what type of platforms, as well as security policies
and products, are needed to achieve the corporate business
objective.
By the way, an IT architecture or an IT strategic plan need not
be 200- or 300-page documents loaded with hi-tech ideas and jargon.
Some of the best IT architectures are sometimes as short as 30
pages of simple English and may have only taken a few months' work
to put together.
It is similar for an IT strategic plan. Both of these exercises
are really worthwhile doing. And they subsequently give your
efforts towards having a highly professional IT operation a much
higher chance of success.
Visiting professor of information systems, Cranfield School
of Management
Professor Andrew Davies
Set up a database of information
You have a classic compromise to manage - ease of access against
effective security. You want to provide easy access to your mobile
sales and operational staff, while protecting your data from
unauthorised access.
Sadly, there is no alternative to engaging in some boring and
time-consuming bureaucracy - try setting up access then logging on
to a bank's Internet site and you will see what I mean. You need to
have a database holding access information for each authorised
user. This must be set up with passwords and log-on information
known only to the user - the user's mother's maiden name is a
favourite.
The database should be used to authorise each log-on,
identifying the actions each user is entitled to carry out. You may
need an authorisation procedure to allow access to more sensitive
activities, such as entering or amending customer details or
orders. You will also need a log function to trace all such
activities, so any unauthorised activity can be subsequently traced
and corrected.
Smart cards with digital signatures are being promoted as the
answer to this problem, but card-reading devices are not widely
available in easily transportable form and there remains the issue
of lost or stolen cards, which suggests a continuing need for
separate passwords. So for now, passwords and personal information
are the only practical option.
Arthur Andersen
Neil Yeomans
Try breaking into your own system
Given the opportunities afforded by rapid developments in
technology and communications, it is inevitable that workers will
become more and more mobile, carrying increasing amounts of
sensitive data with them. So, firms need to be alert to the
changing risks they are exposed to so they can keep security
measures up to date.
There are broadly two types of technical security measures that
should be maintained when data is on the move. The first is to use
encryption techniques to make information on the laptop - or other
devices - inaccessible to unauthorised people, and to use the same
technique for particularly sensitive data when it is transmitted
over networks. The second technique is to ensure anyone accessing
the corporate network remotely is authenticated and authorised as a
genuine user.
Users need unique passwords or stronger techniques such as smart
cards and challenge- response devices checked by secure gateways on
the company network. A good way to maintain vigilence for companies
particularly worried about these problems is to carry out regular
tests and third-party reviews, including penetration attempts under
controlled conditions.
Head of information risk management at NCC Services
Chris Hilder
Encourage users to report the flaws
You are right to be concerned about your company's IT security
and what staff may be doing to jeopardise it. To make the security
of the IT system a success, you need to focus on developing the
awareness of all staff. You need to stress the security risks
surrounding the way remote workers access information and the
influence that IT security has on a company's reputation. Be sure
to emphasise the huge costs that can be incurred when problems
arise.
One way to ensure that people participate in safeguarding the
system is to encourage them to report activities they believe may
make the system vulnerable or cause a risk to stored data. The
basic tenet of your technology strategy should be that all
equipment accessing your network should be approved and tested by
the company to ensure it is appropriate.
Create policies to assure there is adequate authentication for
mobile workers attaching to the network and enforce measures to
guarantee encryption of the hard drives on all laptops. This
ensures that no one will be able to use the information if they
steal the laptop.