Strategy Clinic: How can I maintain the integrity of our networks?

What strategy - cultural and technological - do you recommend I implement to safeguard the integrity of the organisation's IT...

What strategy - cultural and technological - do you recommend I implement to safeguard the integrity of the organisation's IT environment?

Threats from easy access

I break into a cold sweat when I think of all the mission-critical data being carried around the globe by our increasingly mobile sales and operational staff, and of the security breaches this could lead to. Every day I hear horror stories of staff members connecting mobile gizmos into our network without our say-so. What strategy - cultural and technological - do you recommend I implement to safeguard the integrity of the organisation's IT environment?

Visiting professor of information systems, Brunel University
Professor Dan Remenyi

Communicate your strategy to staff

This is primarily an IT architecture or an IT strategy issue. If your organisation has gone to the trouble to produce either or both of these, then it needs to communicate and enforce technology and security standards.

The first step is to communicate clearly to the mobile staff what standards and policies have been chosen and why. As well as highlighting the downside risk to the organisation, you need to stress there will be a downside risk to the careers of individuals who do not comply.

If you don't have an IT architecture or an IT strategy, then it's roll-up-your-sleeves-time - time to get down to thinking through what your organisation wants to get out of its IT. This will suggest what type of platforms, as well as security policies and products, are needed to achieve the corporate business objective.

By the way, an IT architecture or an IT strategic plan need not be 200- or 300-page documents loaded with hi-tech ideas and jargon. Some of the best IT architectures are sometimes as short as 30 pages of simple English and may have only taken a few months' work to put together.

It is similar for an IT strategic plan. Both of these exercises are really worthwhile doing. And they subsequently give your efforts towards having a highly professional IT operation a much higher chance of success.

Visiting professor of information systems, Cranfield School of Management
Professor Andrew Davies

Set up a database of information

You have a classic compromise to manage - ease of access against effective security. You want to provide easy access to your mobile sales and operational staff, while protecting your data from unauthorised access.

Sadly, there is no alternative to engaging in some boring and time-consuming bureaucracy - try setting up access then logging on to a bank's Internet site and you will see what I mean. You need to have a database holding access information for each authorised user. This must be set up with passwords and log-on information known only to the user - the user's mother's maiden name is a favourite.

The database should be used to authorise each log-on, identifying the actions each user is entitled to carry out. You may need an authorisation procedure to allow access to more sensitive activities, such as entering or amending customer details or orders. You will also need a log function to trace all such activities, so any unauthorised activity can be subsequently traced and corrected.

Smart cards with digital signatures are being promoted as the answer to this problem, but card-reading devices are not widely available in easily transportable form and there remains the issue of lost or stolen cards, which suggests a continuing need for separate passwords. So for now, passwords and personal information are the only practical option.

Arthur Andersen
Neil Yeomans

Try breaking into your own system

Given the opportunities afforded by rapid developments in technology and communications, it is inevitable that workers will become more and more mobile, carrying increasing amounts of sensitive data with them. So, firms need to be alert to the changing risks they are exposed to so they can keep security measures up to date.

There are broadly two types of technical security measures that should be maintained when data is on the move. The first is to use encryption techniques to make information on the laptop - or other devices - inaccessible to unauthorised people, and to use the same technique for particularly sensitive data when it is transmitted over networks. The second technique is to ensure anyone accessing the corporate network remotely is authenticated and authorised as a genuine user.

Users need unique passwords or stronger techniques such as smart cards and challenge- response devices checked by secure gateways on the company network. A good way to maintain vigilence for companies particularly worried about these problems is to carry out regular tests and third-party reviews, including penetration attempts under controlled conditions.

Head of information risk management at NCC Services
Chris Hilder

Encourage users to report the flaws

You are right to be concerned about your company's IT security and what staff may be doing to jeopardise it. To make the security of the IT system a success, you need to focus on developing the awareness of all staff. You need to stress the security risks surrounding the way remote workers access information and the influence that IT security has on a company's reputation. Be sure to emphasise the huge costs that can be incurred when problems arise.

One way to ensure that people participate in safeguarding the system is to encourage them to report activities they believe may make the system vulnerable or cause a risk to stored data. The basic tenet of your technology strategy should be that all equipment accessing your network should be approved and tested by the company to ensure it is appropriate.

Create policies to assure there is adequate authentication for mobile workers attaching to the network and enforce measures to guarantee encryption of the hard drives on all laptops. This ensures that no one will be able to use the information if they steal the laptop.

Read more on IT risk management