The havoc caused by computer viruses in recent years has put IT security firmly on the board's radar. However, one of the most crucial areas in IT security - the installation of networks and related software - has received relatively little attention and risks being the weakest link in a firm's defences against internal and external security threats.
With an ever-increasing number of companies offering communications installation services, it is vital that IT managers have the confidence that their investment is committed to projects which comply to the latest installation and security standards.
Companies specialising in IT security have observed examples of IT cabling, patching and infrastructure that can only be described as ranging from poor to completely chaotic. The risks of operating within such an environment are often completely underestimated or ignored.
All networks processing sensitive information are subject to risks. They include attack by those who wish to get hold of this information, or failure because someone has intentionally or accidentally caused a fault.
Failure to adhere to secure network installation standards can result in the loss of crucial commercial data, access to data by unauthorised staff within the company and external threats from hackers.
This can have a seriously detrimental effect on customer confidence and business continuity, reducing profits and, in the extreme, requiring a complete and expensive re-build of the entire network infrastructure.
Poorly installed or configured network equipment, such as hubs, routers and cables, will heighten the risk of security breaches. And organisations that do not closely monitor the installation of new network equipment and any subsequent changes will also make it harder to locate and identify a fault when it occurs.
Network security should not solely be the concern of security managers. IT directors need to enforce standards and oversee major changes to communications infrastructure.
IT directors can reduce the security risks by monitoring work done by outside agencies and keeping a record of any changes, including work carried out for cabling infrastructure.
Network infrastructures should be routinely "policed" to ensure users have not made illegal changes to network connections and also to identify potential faults before they occur.
Before signing a contract, IT departments should check that suppliers comply with industry standards, such as BSEN50173 and BSEN50174, which are recognised by the government to ensure best practice when dealing with suppliers.
Finally, the network should be designed so that areas of the business with sensitive information are separated and protected, for example, by putting a block on the routing of certain information.
As part of a primary business strategy, firms should consider how best to address this knowledge gap. Training in-house IT staff to understand the implications of poor installations and remove the risks from the change process is a long-term solution.
l Martyn Case is a senior consultant and training manager for Liric Associates, which is exhibiting at Infosecurity Europe 2004 in the Grand Hall at Olympia, 27-29 April