Fear is what drives most security decisions, says Julia Vowler, but
do not let it stifle your business
General McArthur once famously remarked, "There is no security,
there is only opportunity." However, the problem for IT directors
is that, when it comes to security, the opportunity seems to be on
the side of those keen on breaching it.
The Internet has been a boon for the hacking community. As
security expert and former hacker Robert Schifreen comments, in the
pre-Internet era, hacking into US systems from the UK was an
expensive business, incurring transatlantic phone charges. The
Internet now allows hackers to roam the world for the price of a
local call. The global village for hacking has arrived.
"Anyone in the world can get into your systems," warns
Schifreen. But, although a counsel of paranoia is advised, it must
not lead to a destructive siege mentality. After all, no system is
breachproof. And a company cowering in its nuclear-proof bunker is
not open for business.
It is too easy to make security a goal in its own right. The
trick, says Helen Boardman, e-business infrastructure manager at
United Utilities, is to turn that mentality around. Security, she
emphasises, is not the key objective - a well-functioning business
is.
"Security is a business enabler, not a restrictor," she urges.
"It must not throttle business."
The right level of security must be applied, and this can only
be done following the process of risk assessment, says Schifreen.
First you must identify points of vulnerability and then map them
to determine what potential damage a breach would cause,
remembering that the value of data can far exceed the value of the
system holding and guarding it.
He warns that $20 worth of storage can hold $2bn worth of
research data. So do not carry it around on a laptop.
As a corollary, the in-your-face security breaches may not be as
dangerous as the less visible ones, says Schifreen. Discovering
that the corporate home page now sports a naked lady may be
embarrassing, but it is quickly spotted and fixed - it may take a
lot longer to discover a hacker has upped all the prices on the
products pages.
High profile though hacking may be, it is not the major source
of security damage. It is the fifth column within, not the foes
without, that poses the greatest threat. More than 70% of security
breaches are internal, warns Schifreen, and do far more damage.
Disaffected - or bribed - staff are more dangerous than external
hackers.
Ignorant employees are dangerous too, which is why security
training is an essential part of a security policy. Staff have to
understand what makes a system vulnerable, and what their
responsibilities are - but there needs to be a balance between
warning them and scaring them. Similarly, if security regulations
are too draconian and onerous, employees will find them a burden
and seek ways to evade them.
Senior staff, however, probably do need to be scared. Unless
they see a clear and present danger from corporate security
breaches they will prefer to spend their budgets elsewhere.
The way to convince senior management of the need to make
investment in IT security is, advises Boardman, by a dual process
of pointing out the high-profile security breaches documented in
the media and then asking them just how much a similar security
breach would cost their own company.
"Security does require a significant upfront investment," she
acknowledges, "but it pays back later."
Not having your company listed in the litany of scare stories
circulated at security conferences is one of them.
Robert Schifreen and Helen Boardman will be speaking at the
IT Security Showcase on 14-15 February. Tel: 020-8394 5100
Hacker's guide to info security
Robert Schifreen's recommendations:
- Although there are a lot of good security products, don't
install them until you have carried out a risk analysis and
understand where the problems are, what is worth protecting and for
how much. Don't spend too much protecting low value data, or too
little on protecting invaluable data
- Staff are more dangerous than outsiders, so security training
must target end-users, from sales managers to secretaries. But do
not make them paranoid
- You must carry out penetration testing of all systems at least
once a year. Hire someone to break into your systems. They will
succeed 95% of the time.
Six golden rules for secure success
Helen Boardman offers this advice:
- Establish your security policy and procedures first, following
your risk assessment process. Get the principles in place and roll
them out in practice as they are needed
- Do not embed security within individual applications. Keep
security as a separate layer, then you can plug and play
applications without redoing security. It is especially important
to have this flexibility in an e-environment where security can be
seen as slowing down implementation, yet it is even more important
than in non-e-systems
- The greatest security threat from the Internet is not external.
E-systems potentially allow your own staff to open your core
systems to outsiders
- Make sure security is end-to-end, especially across the core
systems/e-systems interfaces. Building e-systems will mean
revisiting established security policies for core systems
- Security policies are not cast in stone - they need to be
adapted to changing technology
- Regard security as a ticket to safe business, not a stifling
choke. Management must see the value of investing in it.
Barrier or boon?
A recent survey by Xephon found that:
- A third of large IT departments believe security concerns are
slowing down their progress in e-business
- A sixth believe security priorities are in danger of being
overruled in the rush to e-commerce
- Under half say corporate e-business and security strategies are
progressing hand in hand
- Users rated mainframes as the safest place to store data
(scoring nine out of 10), Unix averaged 6.6, NT 5.5 and Linux
4.6
- The vast majority reported sophisticated access management,
firewall and anti-virus technologies in place
- Most felt the activities of external hackers could be
controlled successfully
- Most felt viruses could usually be eradicated without serious
damage
- A fifth said they could protect their systems from malicious
staff only occasionally or rarely
- Three quarters said the impact of inside damage, though rare,
was potentially very serious.
Enterprise Security Strategies, www.xephon.com/rarz.html