Setting up security guidelines alone will not ensure your company is secure. The key to implementing them successfully is to test them, says Tim Ecott.
As a security consultant I welcome the emergence of best practice guidelines for security implementations and congratulate those businesses which are following them successfully.
However, our experience is starting to show that businesses are becoming complacent and failing to test the resolve of their security measures.
Following security guidelines when implementing, for example, a wireless network, is paramount. The importance of measures such as virtual private networks, firewalls, encryption technology and strong security policies should also not be underestimated.
Most businesses fall down (70% is an estimate) because they fail to test their security once it is in place. Security threats are continuously evolving and protective measures must be upgraded and adjusted to reflect this.
Expanding on the example of a wireless network, the failure to do a penetration test before deployment means that many businesses will be "live" without actually knowing whether or not their wireless network is vulnerable.
In some cases it can be months before testing is carried out, in others it is just after an attack, and in the most extreme cases it does not happen at all.
Penetration testing forms an integral part of any effective security strategy, be it an automated process or a high-level assault on a company's infrastructure.
It is widely accepted that a firewall plays an important role in filtering network traffic and that it must be configured and monitored correctly.
Simply connecting a firewall to the network and expecting your infrastructure to be secure is a little foolish, to say the least, and this same realisation needs to be made with wireless networks.
But how does a business know if they have followed and applied best practice guidelines effectively if they have not carried out tests to prove their network can withstand potential attacks?
How does a business know that what was secure six months ago is secure now? Even if guidelines such as BS7799 are followed, the only way of knowing is to test systems regularly. Without penetration tests, it is impossible to assess the quality and effectiveness of your security.
What do you think?
Do you test your IT security regularly? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Tim Ecott is a managing consultant at Integralis