The rapid rate of technology change is emerging as one
of the biggest threats to information security. That was the key
message that emerged from Infosecurity 2008 last
month.
Government
research has shown that companies implementing newer
technologies such as
instant messaging, voice over IP, wireless networks and remote
access are twice as likely to suffer a security breach.
Bruce Schneier, chief technology officer at BT Counterpane,
told the conference in London that because technology changes
processes rapidly, there is not enough time to develop effective
responses to specific threats.
The systems organisations are using to ensure information
security have themselves become extremely complicated.
The result is that many organisations are not effectively
mitigating their security risks despite knowing more about the
risks and spending more on security. Others have simply lost sight
of their security objectives because of the sheer complexity of the
technology involved.
In contrast to security suppliers that continue to add to the
layers of complexity by touting silver bullets in the form of
encryption, consolidation, centralisation, and de-perimeterisation,
researchers and advisors are saying that it is time for IT
departments to get back to basics.
According to Geoff Harris, president of the UK chapter of the
international
Information Systems Security Association (ISSA), many UK
organisations still do not have basic security controls in
place.
Benjamin Jun, vice-president of technology at US-based
Cryptography Research, said organisations generally have further to
go to meet security baseline levels for people, process and
technology.
"Much of this 'return to baseline' process involves defining the
steps involved in each business activity and finding the technology
that maps well to protecting this activity," he said.
This approach is core to a
set of directors' guides to managing information risk recently
developed by the Information Security Awareness Forum (ISAF),
Information Assurance Advisory Council (IAAC) and BT.
The guides advise company directors to establish strong
information risk management practices and support their staff by
providing clear governance after covering the basics of determining
the risks faced by the organisation and the level of risk the board
will tolerate.
Although the government's latest biennial Information Security
Breaches survey shows organisations are more aware of security and
are spending more on security systems, security advisors say there
is still a lot of basic work to be done. More than half (52%) of UK
companies, for example, still have no formal security risk
assessment processes.
Now is the time for all UK organisations to carry out risk
assessments, set information management polices and establish
governance processes to enforce them.
Organisations need to know what their information assets are,
where they are located, their real value to the company and how
exposed they are to leaks.
"Information security has to be managed because the alternative
is a mess," said Chris Potter of PriceWaterhouseCoopers, who led
the 2008 government security breaches survey.
The survey report advises organisations to understand the
security threats they face and use risk assessment to target
security investment where it will deliver greatest benefit.
There is a growing consensus among advisors that good security
comes down to a better understanding of the risks before meaningful
controls of people, process and technology can be applied.
The only solution to complexity, said Schneier, was for
organisations to take on board information from non-partisan
sources such as academics, rather than from suppliers with vested
interests in talking up their products.
Familiarity with the true nature and scope of the threats is key
to organisations being able to deal with information security
intelligently and effectively without getting bogged down in the
complexity of information technology and technological security
controls.