Security: A mountain to climb

A look at the 10 most common causes of security breaches shows the uphill battle facing security specialists. Daniel Thomas...

A look at the 10 most common causes of security breaches shows the uphill battle facing security specialists. Daniel Thomas reports

Do organisations that rely on off-the-shelf security products, don't train or police their staff, and adopt an ostrich attitude to the threat of security breaches deserve any mercy? The top 10 most common causes of security breaches are all preventable. They owe less to the antics of industrial spies or anarchist hackers than to misplaced optimism and complacency.

So what are IT security's weakest links?

1: Employees
Tony Baratta, director of professional programs at the International Information Systems Security Certifications Consortium (known as ISC2) a not-for profit security training and accreditation organisation which issues the Certified Information Systems Security Professionals (CISSP) qualification, says the main mistake most organisations make is focusing on technology rather than people. "The best security technology in the world is not going to protect your organisation unless you develop a culture of security," he says.

Simple measures like ensuring that employees keep passwords safe are a good place to start, Baratta says. "Once a hacker gets a password, they may create 'back doors' in the system and set-up an account which will make them much more difficult to detect and stop, no matter what security software is being used," he says.

Paul Rutherford, chief marketing officer at security specialist Clearswift, agrees that employees - despite the warnings - pose a constant threat. "Upwards of eight million working hours are lost each year in the UK by employees 'cyberslacking'," he says. "In addition to lost productivity there are bandwidth issues, risk of confidential information being sent out the company, litigation costs and damage to reputation.

"For example, using image-recognition technology one customer - a car manufacturer - discovered a design engineer trying to send prototype blueprints to a competitor 'hidden' in an e-mail," Rutherford says.

2: Lack of training
Steve Purdham, chief executive of Internet security firm SurfControl, says many of these employee problems can be overcome by improving training. "A major cause of security breaches is a dearth of grass-roots education and training, which is substantially lacking in UK businesses," he says.

"Educating businesses and employees about what constitutes acceptable e-mail use in the workplace is not going to happen overnight. Without training - an essential part of any e-mail management scheme - users will inevitably develop bad habits and not adhere to best practice."

3: Lack of an effective Internet and e-mail policy
Despite legislation highlighting the importance of implementing security policies, analyst firm IDC has found that only 25%-30% of all UK companies have an enforced and communicated e-mail policy.

"Implementing an effective security system is only half the battle; success is just as dependent on establishing a policy and enforcing it through the management line," says Rutherford.

"For example, employers have a right to monitor their staff's e-mail and Internet use to ensure that it is used only for business practice. However, failure to tell staff that they are being monitored is illegal and could cause a lawsuit to be brought against a company. A policy that is effectively communicated to staff would prevent this," he says.

4: Complacency
Companies need to ensure that their guard is permanently up against security threats, Purdham warns. "One of the most common causes of security breaches is complacency," he says. "UK businesses need to appreciate that any Internet content that enters, circulates and leaves an office carries a risk."

Firms don't seem to understand the urgency of the problem when it comes to the dangers of unmonitored Internet and e-mail use in the workplace, Purdham adds. "This boils down to two oversights: the 'it-won't-happen-to-us' outlook, and not recognising that e-mail is one of the most exposed forms of communication, open to abuse from Internet-borne viruses, inappropriate content and leakage of corporate confidential data," he says.

5: Assuming that a firewall and antivirus software is sufficient protection
Thomas Raschke, a security analyst at IDC, recently warned that organisations relying solely on antivirus software and firewalls for network protection are "seriously compromising their business and network integrity".

Rutherford says firms should consider more comprehensive content security solutions to combat security threats - including internal threats - and also to ensure that they comply with all recently-passed legislation. "For example, although antivirus software would help to arm a company against harmful viruses and malicious code, it does not stop incoming unsolicited e-mail," he says.

"Some of these e-mails may clog up the bandwidth or carry inappropriate content that may offend others or cause damage to an employer's reputation."

6: IT security industry's constant focus on new technology
The IT security industry itself does not do enough to increase awareness and is too focused on pushing new technology, says Martin Smith, managing director of consultancy The Security Company.

"The IT security industry is happy when it has sold its products, whereas there is no money in establishing proper processes or education within an organisation," he says. "But users do not understand or implement these technical solutions - they have no reason to because they are unaware of the need for security."
Senior managers spend significant sums on technical solutions, which gives them and the IT department a false sense of security, even if they do not need the technology, Smith says.

"As long as the IT security industry focuses on increasingly incomprehensible solutions for ever more obscure and irrelevant problems we are doomed to live forever in the corporate shadows," he warns. "At the moment, the doctors are selling brain surgery while the patient dies of a common cold."

7: Not protecting against unsolicited e-mail and spam
A survey of 3,000 Clearswift customers conducted in June revealed that in the past nine months concern about spam and productivity loss has increased by 150%.
Despite measures being introduced by the European Union, unsolicited e-mail will continue to cause security problems, according to Rutherford.

"There is an expectation that national or EU law will solve this problem by imposing a ban on unsolicited mail," he says. "Spammers will always find a way around legislation.

"Solving this productivity problem is the responsibility of organisations which, using a mix of technologies, can intercept at the boundary and therefore protect employees and their working cyber-environments," he adds.

8: Wireless local area network vulnerability
Recent research from consultancy firm KPMG, based on responses from 641 companies across Europe, North and South America, the Middle East and Africa regions, found that 43% of organisations had either implemented some form of wireless network or were planning to.

However, KPMG's Global Information Security Survey 2002 also revealed that of those which have fully implemented a wireless local area network, 38% do not use virtual private networking or other encryption or tunnelling technology to protect the data flowing over it.

"Wireless Lan technology usage is increasing, yet the security risks are very real, because effectively, the technology transmits your data to anyone within receiving distance," warns Robert Coles, European head of information security at KPMG.

"Many companies wrongly assume that the encryption algorithm alone, Wired Equivalent Privacy will protect wireless traffic," he adds. "It suffers from poor key management and other security vulnerabilities. Equally, access control address-based authentication is easily detectable by hackers and only slightly more difficult to circumvent."

9: Personal digital assistant vulnerability
According to the KPMG research, 43% of organisations now allow staff to use PDAs and even actively encourage their use by providing them. However, few implement any form of protection for the information they contain.

"PDAs can store vast amounts of information," Coles says. "This information is often downloaded directly from personal organiser software held on corporate systems, such as diaries, e-mail, contact and task lists, and could therefore contain highly confidential and sensitive corporate information."

He adds, "PDAs and handhelds can no longer be classed as new technology and the security industry and companies alike have been slow in tackling and resolving the issues they present."

10: Failure to report lapses
Most companies fail to report all security lapses, according to the KPMG research. And performance measures are seldom sophisticated enough or wide enough to be of benefit to those that do, Coles warns.

"The danger in all this is that organisations fail to capture vital information about how many incidents occur, through what route and how much loss it has suffered as a result," he says.

"Incident management statistics should form a central part of a security performance measurement regime and should be used to direct security improvement projects. Ignorance of what is actually occurring within an organisation leads to the establishment of wrong priorities and the wrong allocation of funds."

Read more on IT risk management