Security: not an IT problem but a business risk

Security breaches in the e-world can destroy public confidence and your business in an instant

Security breaches in the e-world can destroy public confidence and your business in an instant

Thanks to e-business, IT now directly impacts the top line in the front office, not just the bottom line in the back office. This, warns Brian Collins, IT director at law firm Clifford Chance, is dragging the issue of security even higher up the agenda.

Collins, highly regarded as a security consultant to the banking sector, was speaking at last week's Computer Weekly 500 Club meeting for UK IT directors.

"Security has a very different impact now than two years ago," he warns. "No one in the e-world is in isolation."

Breaches of security in the e-world put two key items at risk, he asserts. First is brand value and public trust, and City confidence therein. The second is the availability of Web-dependent business processes, which in the non-stop world of e-commerce is increasingly critical.

So, what can be done to secure the organisation in the e-era? Collins identifies four factors.


As is already well established, the weakest link in the security chain is the human factor. Potential risks can result from something as simple as users leaving their PCs switched on in an empty office at lunch time. More complex scenarios could include contractors siphoning off software via e-mail, or innapropriate staff being granted system administration rights over critical software.

The adoption of knowledge management, especially Web-based, opens up a new opportunity for security breaches.

As Collins observes, "Sharing knowledge adds value. Knowing who you're sharing it with adds even more."


"Don't assume that software out of the box has the security features you need," warns Collins.

Even if security measures are included, they may need to be positively selected during implementation and defaults reset - again the human factor is inescapably involved.

"You need a lot of implementation rigour," says Collins, which, for those companies who came into IT in the post-mainframe era, may well be missing.

Nor are the software management tools always adequate. Many do not supply real-time management information, trend monitoring or auditability. Some, warns Collins, won't let you apply the first rule of security, to divide up duties and assign specific rights. There is a dangerous tendency, he warns, for the network man to have a degree of omnipotence that is not advisable.

"The network manager can bring down the organisation instantly," says Collins. "So, he or she should be saintly, but not God."


"Just having a policy in the first place is a good idea," says Collins.

He also advises taking a leaf from the world of banking, "there's a lot of security best practice out there," he says.

BS7799 is also a good starting place. "It's not everything, but it does get you a long way down the road," says Collins.

But it is, of course, no use having security policies and procedures if staff don't know about them and don't have to care about them.

"Staff awareness of security is essential," says Collins.

That means both training to raise awareness of the dangers, and a contract of employment that makes laxness about security a potentially career-terminating offence.

The final factor is the impact of national and international legislation. Whatever the outcome of the vigorous debate currently taking place on the rights of governments to monitor the world of e-business, "we don't want legislation to be over-restrictive," says Collins.

But if there is any bottom line on security it has to be, Collins emphasises, that the issue is not one of IT security - it is the security of the business as a whole.

Unless organisations can accept that the danger posed by IT security breaches outweighs the cost of the 5%-15% premium that good security places on the IT budget, they will continue to flounder in unsafe waters.

"Security," says Collins, "is not an IT problem. It is a business risk."

Can your business afford that risk?

Four factors impacting security

  • Staff: Are they trustworthy and security-aware, and how do you know that?

  • Software: Don't trust it to be as secure as you need out of the box.

  • Policies and procedures: Have you got a security policy? Is it based on BS7799?

  • The wider world: Do you understand how national and international legislation affects your commercial security and operations?

Security facts to tell your boss

  • Scare stories are increasing. The next one could be your company. Fear breeds prudence.

  • E-failure is very, very visible.

  • Insurance companies are increasingly pressurising companies to have good security policies, or premiums will rise.

  • Customers increasingly demand proof of good security before doing business, especially over the Internet.

  • Awareness of the business value of information assets is increasing.

  • Marketing departments are increasingly aware of the danger to brand value from security breaches. So is the City.

Key problems in e-security

  • Non-permanent staff whose loyalty may be questionable but whose opportunity to breach security is considerable.

  • The dilution of control by central IT - will a business department buying its own IT be as security savvy?

  • IT heads may be accountable for security, but lack the authority to enforce it.

  • Chief executives display little enthusiasm for pro-forma adoption of BS standards.

  • Companies that have sacked staff for security breaches may be reluctant to broadcast the fact and wary of providing bad references when such staff are re-employed elsewhere.

  • The rise of knowledge management means a lot of valuable information can be placed on insecure intranets.

  • Commercial pressure to launch e-business quickly may mean security is compromised.

Read more on IT risk management