Can too much IT security be bad for business?

Too much security can be onerous for their companies, IT professionals concluded during a debate at the City IT...

Too much security can be onerous for their companies, IT professionals concluded during a debate at the City IT and IT Security Forum.

One delegate from a major supermarket said his company had to create a new department to meet the encryption demands by Visa and MasterCard.

"We now have an industry of encryption key management. We have three million transactions a day to encrypt. I have had to create a whole department responsible for encryption key management."

But other delegates said that chip and PIN is still inherently insecure.

A delegate from a high street bank said that sometimes compromises in security were necessary. Banning the use of USB memory sticks in desktops and laptops, for example, can be counter-productive: "If you completely lock these things down, and you are doing business on the road, and you cannot access the USB, it means you cannot back up information or share it. That's a problem."

He said that the banking policies discouraged the mention of account numbers in unencrypted emails - but he questioned whether they were they any safer in the post. "We cannot possibly encrypt all of our data on all of our clients," he said. "You can get obsessive with risk and encryption."

Even when minimum standards of security are required for regulatory reasons, there may be scope for compromise, said a bank's representative.

"In my experience, compliance people will always take the most negative view but I argue with them. I say: 'That's your interpretation, but we could interpret it in a different way.' Most of these regulations are not tested in law. Are we wrong to take a lesser approach?"

Several delegates said that instilling in staff and executives an understanding of company policy was a valid alternative to onerous security restrictions. If they then flouted company policy, they knew the risks they were taking.

Richard Hackworth, former chief information security officer at HSBC, said that if company employees are notified when their questionable activities have been detected, they will "know that somebody is looking" and so will be more careful.

Hackworth said that difficulties for IT security professionals were growing. In recent years there has been little progress on solutions but technical problems are increasing while there are "increasing external expectations on what we are able to do".


IT professionals' top security concerns

1) Knowing what information you have to keep, what would cause damage if it leaked, and what can be deleted

2) Data loss and leaks

3) Getting employees to comply with company security policy

4) Data ownership

5) Whether to ban social networking sites

6) Internal IT-related fraud

7) E-investigations


Top tips from IT security experts at the City IT and IT Security Forum

- If sensitive data needs to be transferred from occasional end-users to a large organisation, put it on a disc, encrypt it using WinZip 11, and send it by courier.

- Visit the website Get safe online - for top safety tips

- Use Sanctuary Device control to identify all devices that are connected or have ever been connected to network assets.

- For advice on USB security vist

Read more on IT risk management