Company boards are prepared to throw money at IT when there is a disaster but are too conservative in making funds and management time available for IT security to prevent such situations arising.
Attendees at The Infrastructure Forum (Tif) annual conference last week said they are having difficulty persuading their boards of the danger from new breeds of virus and the need to spend on disaster contingency.
While board members are aware of the need for due diligence, and of recent obligations such as the Combined Code on Corporate Governance resulting from the Turnbull Report in 1999, they are not tackling their duties completely, delegates heard.
"High level risk is discussed quarterly by the board," said one senior user, "but until recently the board identified risk in isolation, in parallel with experts internally who identified risks at a local level - but the two did not match up. You need to get the two together to recognise the true risks to the business."
Another infrastructure manager argued the case for organisations to set up separate IT security budgets. "IT needs a secured budget as threats to the business will get worse," he said. "Boards do not understand the effort required in resource, cost and time to keep systems secure. It is an enormous overhead now, especially if you use standard products."
Another delegate argued that IT security should be a standing board agenda item. For their part, IT managers were urged to help boards to see the importance of attaining the right level of security, not in terms of cost, but as a business enabler to promote trust in e-business services.
Tif members' security recommendations
- Get rid of staff leavers' privileges the day they go
- Beware sleepers in back-ups
- Reduce entry points to the bare minimum
- Do not rely on one security supplier - use different suppliers at different gateways. This is expensive but means you are not betting your future on a single supplier
- The biggest issue when you are attacked is knowing that you are being attacked
- Eliminate simple network management protocol risks and do your patching in business priority order: start at the external interfaces such as firewalls and border routers, then secure critical applications, and only then patch the less critical areas
- Install multiple firewalling to contain damage.
Top five IT vulnerabilities
- Simple network management protocol security configuration
- Access to Windows server message block shares and resources
- Service packs and hot-fixes not up to date
- Registry security permissions
- Out of date software.