Security breaches in the e-world can destroy public confidence and
your business in an instant
Thanks to e-business, IT now directly impacts the top line in the
front office, not just the bottom line in the back office. This,
warns Brian Collins, IT director at law firm Clifford Chance, is
dragging the issue of security even higher up the agenda.
Collins, highly regarded as a security consultant to the banking
sector, was speaking at last week's Computer Weekly 500 Club
meeting for UK IT directors.
"Security has a very different impact now than two years ago,"
he warns. "No one in the e-world is in isolation."
Breaches of security in the e-world put two key items at risk,
he asserts. First is brand value and public trust, and City
confidence therein. The second is the availability of Web-dependent
business processes, which in the non-stop world of e-commerce is
increasingly critical.
So, what can be done to secure the organisation in the e-era?
Collins identifies four factors.
Staff
As is already well established, the weakest link in the security
chain is the human factor. Potential risks can result from
something as simple as users leaving their PCs switched on in an
empty office at lunch time. More complex scenarios could include
contractors siphoning off software via e-mail, or innapropriate
staff being granted system administration rights over critical
software.
The adoption of knowledge management, especially Web-based,
opens up a new opportunity for security breaches.
As Collins observes, "Sharing knowledge adds value. Knowing who
you're sharing it with adds even more."
Software
"Don't assume that software out of the box has the security
features you need," warns Collins.
Even if security measures are included, they may need to be
positively selected during implementation and defaults reset -
again the human factor is inescapably involved.
"You need a lot of implementation rigour," says Collins, which,
for those companies who came into IT in the post-mainframe era, may
well be missing.
Nor are the software management tools always adequate. Many do
not supply real-time management information, trend monitoring or
auditability. Some, warns Collins, won't let you apply the first
rule of security, to divide up duties and assign specific rights.
There is a dangerous tendency, he warns, for the network man to
have a degree of omnipotence that is not advisable.
"The network manager can bring down the organisation instantly,"
says Collins. "So, he or she should be saintly, but not God."
Policy
"Just having a policy in the first place is a good idea," says
Collins.
He also advises taking a leaf from the world of banking,
"there's a lot of security best practice out there," he says.
BS7799 is also a good starting place. "It's not everything, but
it does get you a long way down the road," says Collins.
But it is, of course, no use having security policies and
procedures if staff don't know about them and don't have to care
about them.
"Staff awareness of security is essential," says Collins.
That means both training to raise awareness of the dangers, and
a contract of employment that makes laxness about security a
potentially career-terminating offence.
The final factor is the impact of national and international
legislation. Whatever the outcome of the vigorous debate currently
taking place on the rights of governments to monitor the world of
e-business, "we don't want legislation to be over-restrictive,"
says Collins.
But if there is any bottom line on security it has to be,
Collins emphasises, that the issue is not one of IT security - it
is the security of the business as a whole.
Unless organisations can accept that the danger posed by IT
security breaches outweighs the cost of the 5%-15% premium that
good security places on the IT budget, they will continue to
flounder in unsafe waters.
"Security," says Collins, "is not an IT problem. It is a
business risk."
Can your business afford that risk?
Four factors impacting security
- Staff: Are they trustworthy and security-aware, and how do you
know that?
- Software: Don't trust it to be as secure as you need out of the
box.
- Policies and procedures: Have you got a security policy? Is it
based on BS7799?
- The wider world: Do you understand how national and
international legislation affects your commercial security and
operations?
Security facts to tell your boss
- Scare stories are increasing. The next one could be your
company. Fear breeds prudence.
- E-failure is very, very visible.
- Insurance companies are increasingly pressurising companies to
have good security policies, or premiums will rise.
- Customers increasingly demand proof of good security before
doing business, especially over the Internet.
- Awareness of the business value of information assets is
increasing.
- Marketing departments are increasingly aware of the danger to
brand value from security breaches. So is the City.
Key problems in e-security
- Non-permanent staff whose loyalty may be questionable but whose
opportunity to breach security is considerable.
- The dilution of control by central IT - will a business
department buying its own IT be as security savvy?
- IT heads may be accountable for security, but lack the
authority to enforce it.
- Chief executives display little enthusiasm for pro-forma
adoption of BS standards.
- Companies that have sacked staff for security breaches may be
reluctant to broadcast the fact and wary of providing bad
references when such staff are re-employed elsewhere.
- The rise of knowledge management means a lot of valuable
information can be placed on insecure intranets.
- Commercial pressure to launch e-business quickly may mean
security is compromised.