The move, which involves outsourcing network and security management, is part of a long-term plan to consolidate and standardise the £25bn tobacco company’s IT services across 180 countries.
Under three-year framework agreements worth tens of millions of pounds, Orange Business Services will supply British American Tobacco with bandwidth and network management, and ITC Networks will provide managed security services to BAT’s operating companies and distributors.
Gareth Lindahl-Wise, head of global IT security at BAT, said the company intends to use the internet more for business-to-business applications, potentially exposing the company to greater risk.
“The threat profile changes, with attacks aimed at applications, rather than the physical network. So we are looking to make applications threat-aware and to harden them against attacks. For instance, we think just doing proper input validation would halve our risk,” he said.
“Much of what we are doing is not sexy, for instance, insisting on compliance with RFCs [best practice recommendations of the Internet Engineering Task Force].”
Lindahl-Wise said ITC would be responsible for three main IT security projects: managing British American Tobacco’s external-facing communications, installing and managing extra-secure document and password “vaults”, and application hardening.
ITC is using Cisco technology for firewalls, intrusion detection/prevention, and event correlation and reporting. ITC managing director Tom Millar said no decision had been made as to who would supply the vaults or the applications hardening, but Cyber-Ark, F5 Networks and Juniper were front-runners.
Kevin Whelan, technical director at ITC, said Cisco’s Security Monitoring, Analysis and Response System was being used to consolidate BAT’s security appliance logs worldwide to see instantly if, where and when an attack is under way.
Only the paranoid survive in a web-enabled world
Firms need to step up their security as hackers’ professionalism increases, David Bradshaw, principal analyst at research firm Ovum has advised.
“Everyone needs to take [Intel chairman] Andy Groves’ dictum – only the paranoid survive – to heart,” he said.
Bradshaw said British American Tobacco’s aim of having fewer datacentres was sensible. “It leaves fewer targets for attackers, and makes them easier to defend,” he said.
Referring to BAT’s decision to outsource its IT security, Bradshaw said, “The alternative is to become security expert, and the rate of change in the type and number of threats makes that a no-win proposition.”