User pressure: Users gathered last week for The Infrastructure
Forum's annual meeting. John Riley reports
Company boards are prepared to throw money at IT when there is a
disaster but are too conservative in making funds and management
time available for IT security to prevent such situations
arising.
Attendees at The Infrastructure Forum (Tif) annual conference last
week said they are having difficulty persuading their boards of the
danger from new breeds of virus and the need to spend on disaster
contingency.
While board members are aware of the need for due diligence, and of
recent obligations such as the Combined Code on Corporate
Governance resulting from the Turnbull Report in 1999, they are not
tackling their duties completely, delegates heard.
"High level risk is discussed quarterly by the board," said one
senior user, "but until recently the board identified risk in
isolation, in parallel with experts internally who identified risks
at a local level - but the two did not match up. You need to get
the two together to recognise the true risks to the
business."
Another infrastructure manager argued the case for organisations to
set up separate IT security budgets. "IT needs a secured budget as
threats to the business will get worse," he said. "Boards do not
understand the effort required in resource, cost and time to keep
systems secure. It is an enormous overhead now, especially if you
use standard products."
Another delegate argued that IT security should be a standing board
agenda item. For their part, IT managers were urged to help boards
to see the importance of attaining the right level of security, not
in terms of cost, but as a business enabler to promote trust in
e-business services.
Tif members' security recommendations
- Get rid of staff leavers' privileges the day they go
- Beware sleepers in back-ups
- Reduce entry points to the bare minimum
- Do not rely on one security supplier - use different suppliers
at different gateways. This is expensive but means you are not
betting your future on a single supplier
- The biggest issue when you are attacked is knowing that you are
being attacked
- Eliminate simple network management protocol risks and do your
patching in business priority order: start at the external
interfaces such as firewalls and border routers, then secure
critical applications, and only then patch the less critical
areas
- Install multiple firewalling to contain damage.
Top five IT vulnerabilities
- Simple network management protocol security configuration
- Access to Windows server message block shares and
resources
- Service packs and hot-fixes not up to date
- Registry security permissions
- Out of date software.