Can you trust your staff?

The focus on security in firms is shifting from the perimeter toinside the business. The biggest security risk has always been the internal one - after all, what could be more dangerous than a disaffected employee with detailed knowledge of internal processes and procedures and who already has access to data? A more structured approach is required for internal information security than has been used for internet security. The internet threat is commonly seen as anissue for the IT department, where it will protect firms from anonymous hackers or malicious code via the internet. The internal threat is much harder to protect against as users are known, trusted and already have accessto systems. Internal information security is a business issue and an IT issue. Security needs to be built into every business process as it isdeveloped. Where the business process touches IT, the IT system security should meet the process requirement. In reality, IT system security is probably the easiest to implement and is likely to be the strongest part of the process. Most security is weakened by the rest of the process. For example, it is easy to implement and enforce strong system passwords, but if users write passwords down, a strong IT system is pointless. Management is the most important, the least understood and most poorly implemented part of security in most companies. The security chain is only as strong as the weakest link, so if you are going to spend money, it is better spent improving the weakest link rather than making the strongest link even stronger. There are a lot of very goodsecurity products available, but without good management, companies will continue to spend money in areas that have minimal overall benefit to the business. There are six basic steps to ensuring good information security management: l Identify information held within the company; determine its value to the business and where and how it is stored l Perform an analysis on the information, starting with the high-value data, and identify the potential risks and the likelihood of the risk occurring l Produce policies, procedures and standards to be followed to manage and reduce the risksto business. Ensure compliance with any relevant legislation and that users are fully aware ofand understand the policies l Monitor the policies, procedures and standards to check that they are being adhered to. Automate this process where possible l Develop plans for if/when problems occur. When things go wrong it is important that companies can react quickly to minimise the impact of the problem l Test the plan. l Robin Laidlaw is chairman of Iconium and president of the Computer Weekly 500 Club Management, not products, is the key to security