With the bank failures of recent weeks, more pending
redundancies and a continuation of the downward slide, should we be
concerned about lax security? Is someone minding the store while
all this is going on or should we be doing something more when the
banks are going bust?
In seeking to provide a detailed response for the above
questions, views have been sought from the wide community of the
BCS
Security Forum Strategic Panel (SFSP), writesAndrea Simmons, Consultant Forum Manager at the
BCS Security Forum.
The major factor in determining the likelihood that one
organisation, compared to another, has greater losses due to
information security, is the relative stability of the two
organisations.
In other words, even an organisation with very good security can
find it is effectively more vulnerable than an organisation with
poor security if it is going through
a period of change, such as redundancies, cost-savings, mergers
or
outsourcing. Organisations going through such changes should be
advised to raise their security posture during this period, when
they may find themselves vulnerable as well as becoming a target of
opportunity.
In the current economic climate it is clearly difficult seeking
budget but in many ways, the security budget needs to go up during
a recession - risks are higher, the threat is greater, both inside
and outside.
Another key concern has to be the increased potential for
fraudulent activity. Individuals are feeling the pinch and may find
themselves in a position where they become susceptible to coercion,
carrying out activities for personal gain and the profit of others
at the expense of their employer.
The required controls remain the stalwart standards:
a) Access control - constantly review access rights and ensure
that individuals only have access to the systems they need to
operate for business functionality rather than personal desire.
This includes the need to close down unused accounts.
b) Monitoring - review administration rights, their creation and
propagation. Restrict rights as much as practicable. Monitor for
internal suspicious activity.
c) Backup and restore - this could be even more critical - they
need to be tested and resilient to insider attack.
d) Site access - ensure physical controls are as tight as they
can be too - watching out for strangers and those not wearing
identity passes. Also maintain vigilance over delivery and loading
areas.
e) Social engineering - deliver punchy messages to all employees
regarding the need to be vigilant in watching out for those seeking
to socially engineer personal information or organisational
proprietary details that could be used to perpetrate fraudulent
activity.
These are all well-known and fundamental security
counter-measures. In the coming months and years the security and
resilience of your organisation may depend on them.
Read more expert advice from the Computer Weekly Security Think
Tank >>