Tackling IT security during the recession

Staying true to the real risks facing organisations is not easy for infosecurity managers, especially with a mountain of diversions competing for their hearts. Even covering the basics is not as straightforward as it should be.

Staying true to the real risks facing organisations is not easy for infosecurity managers, especially with a mountain of diversions competing for their hearts. Even covering the basics is not as straightforward as it should be.

Scare mongering, distracting supplier solutions and media hype can all lead their attention away from their companies' unique security needs, experts warn.

They can also find themselves standing to attention regarding the latest data leak headlines of the day, even if they are not a risk to their particular organisation.

Also, enthusiastic suppliers offering gourmet technology can gobble up infosecurity managers' budgets to the detriment of bread and butter security essentials, even more so in the current credit crunch.

Steering clear of fashionable technology solutions, which may not prove to be perfect problem solvers, is good advice, especially in the crowded IT security market.

All hype

"There are always about 800 companies in the IT security sector," says Gartner research vice-president Jay Heiser. "There have always been far more than needed. They are always coming into existence and either disappearing or consolidating. It is an area with a lot of innovation, but some stuff does not work. However, there are some areas where there is a lot of success, such as identity and access," he says.

Heiser warns that some emerging technologies, such as data loss prevention software, have yet to fully mature, and firms should be sure of what they need before buying. "Data loss prevention software works but it has not reached its potential," he says. "It is not working perfectly for everyone. The software does function but you need to be motivated to use it."

Lloyd's Corporation's manager for information protection and continuity, Marcus Alldrick, says he has seen early adopters get stung in the past. Before intrusion detection software reached its potential it was too hot to handle, he recalls.

"There is often over hype, especially with technologies that have not reached maturity," he says. "Ten years ago, people were deploying IDS and suffering from overload. You need to go in with your eyes wide open when buying and ask yourself: 'do I need a Bentley or a Volkswagen?'

The issue is that technology and the marketing behind it is very seductive. Suppliers are saying their solution is the silver bullet, but it is not."

PKI was another solution that was swept up in a storm of hype, according to Alldrick who spoke at Misti's chief security officer summit in Geneva in December.

"PKI was the 'in' technology in the run up and during the dot.com boom, overhyped by the suppliers and promising so much," he says. "Although it provided a solution, it was never really challenged at the time by the players who invested heavily in implementing it. If ever there was a case of minds being clouded by being de rigueur, this was it.

"It became the classic example of providing a solution regardless of whether there was an actual problem and a commensurate business case that justified it and its considerable expense."

The bare necessities

But after cutting through the marketing fluff, what are the bare basics that should be left to defend any organisation? Needless to say, the fundamental backbones lack the glamour of an innovative new IT kit. But experts believe they will help guide infosecurity teams thorough the downturn.

Alldrick recommends getting priorities straight. "Mandatory initiatives and activities should take precedence over aspirational ones," he says. "It is just about going back to good risk management. It is a case of recognising the critical assets and knowing how to protect them. Every company is different, so each one has to decide what the priority is.

"To stay on the right track, especially given the constraints in the economic downturn, I would recommend an examination of an organisation's risk profile and blending of the most cost-effective controls to minimise risks around critical assets."

Heiser also advocates risk management, but adds that the business needs to be on the same side.

"There is a lack of teamwork and the security people need to get behind the business people," he says.

Paul Hansford, a member of the BCS Security Forum Strategic Panel, said information security managers should defend risk management investment vigorously to business managers during this economic gloom.

He says, "The basics of security are about assessing the management of risks and not flinching on jobs that are staff intensive. It is not just about ticking a box and installing a 'fit and forget' solution. And you need to assess this regularly. There could be a temptation to say, 'nothing has changed.' If you buy a firewall, you know what you are paying and what the firewall does. But if you employ a risk management consultant you may be asked: 'how do we know we are getting value for money?'"

Back to school

Business continuity, training and awareness are also essential, says Hansford.

"Companies can be tempted to overlook these," he says. But he points out the importance of security awareness in preventing the breakdown of processes, which was the prime cause of recent high profile UK government breaches.

It came to light in early November that an IT analyst from computer management firm Atos Origin left a memory stick in a pub car park containing confidential pass codes to the online Government Gateway system. The memory stick was found, but passed on to the Daily Mail newspaper, which had a security expert examine its contents.

The government temporarily shut down the online Government Gateway, while it examined how the memory stick went missing.

The UK government experienced another embarrassing memory stick blunder just a few months before. The mistake led the Home Office to end a contract with PA Consulting after it lost a memory stick containing data on 84,000 criminals. PA Consulting blamed an employee for the debacle.

"The loss of data on this project was caused by human failure," said a company spokeswoman in a statement.

"A single employee was in breach of PA's well established information security processes."

But the blame game did not save the contract and the company still had to bear responsibility for the employee actions.

"In both of the breaches involving Atos and PA Consulting, there was a breach of process," says Hansford. "And most of the recent breaches have involved people making mistakes. The only way around that is educating them. If you do it properly it will cut the number of breaches."

And there is little excuse for shirking awareness training. You do not need to spend a lot to make an impact, says Alldrick. He points to Microsoft's website where there is a plethora of security awareness advice.

"You can go sophisticated or simple. It is essential, but awareness is often one of the first things to go, as return on investment is difficult to measure. There are sophisticated internet tools available to promote awareness but a poster campaign or a 20 minute course can be just as effective," he says.

Educating managers should be a key focus of any awareness campaign, believes consultant expert Wendy Goucher at Idrach. "Managers are often the people promoting insecure working," she says.

"They often say, 'do this work at home' and claim they do not have budgets for USB keys. It is important to raise awareness among higher level employees."

Of course, no organisation wants an employee's forgetfulness to cost it a heavy fine or a contract, as in the case of PA Consulting. Every organisation dreads a memory stick full of personal information turning up on a bus.

So Gartner's Heiser says you need to close all loopholes of this nature. "Data leakage is no longer acceptable," he says. "The public relations impact is significant. And most organisations should make routine encryption of computers their priority. They also need to decide what to do about plug and play."

Work smarter

Although Alldrick believes the media play a vital role in reducing complacency, he says IT security managers should resist being swayed by what the media judges is important.

For example, senior managers reading The Times may become unduly concerned by a vague headline affecting a company in a completely different sector. So it is up to infosecurity managers to impart a reality check.

"We need to be careful to hold back from knee jerk reactions to mitigate data loss at the risk of neglecting other threats," advises Alldrick. "If your organisation holds a lot of personal and confidential data, then you should definitely be concentrating on it, but you may have other pressing issues that must be dealt with first."

Without doubt, the current economic downturn means that organisations have to work smarter and get back to basics. Already Forrester Research revealed in September that nearly half of US and European financial firms have cut their technology budgets.

But slashed IT budgets do not mean customers will drop their expectations of organisations safeguarding their data, Alldrick points out. So security teams have to work even harder.

He also warns that cyber criminals will also feel the economic meltdown so could up the ante to steal money. The tightened budgets mean IT security managers need to watch their backs more than ever.

Unfocused spending needs to be trimmed back, advises Heiser. "There has been a culture of overspending in some areas and under spending in others," he says. "But we cannot afford to overspend any more."

Now more than ever, IT security managers need to know what their company really needs and how to get it. And remaining faithful to a risk profile is one way to keep your head while all around you are losing theirs.

This article first appeared in Infosecurity magazine

Read more on IT risk management