Take time to consider security

Security specialist Gordon Stephenson thinks firms are preparing for catastrophe when the dangers are far more mundane. Ross...

Security specialist Gordon Stephenson thinks firms are preparing for catastrophe when the dangers are far more mundane. Ross Bentley reports

Gordon Stephenson at security adviser Vogon estimates that the rate of IT security breaches has increased by 200% over the past three years. "One of the problems is that companies are implementing systems as quickly as possible without taking into consideration the security issues that these projects inevitably throw up," he says.

"Firms are running at Web speed, fighting fires and, while the environment is changing under their feet, internal security often takes a back seat. Many senior managers spearheading e-commerce have only nominal IT knowledge. There are too few experienced ITers in these roles who have knowledge of what security measures should be in place."

Stephenson says many organisations concentrate on large-scale disaster recovery plans in case of fire, flooding or terrorism even though most breaches are far less dramatic. "The vast majority of security breaches occur within a company often by accident. Staff are given inappropriate levels of access to systems for their role and this causes confusion. For example, you may not necessarily want someone who is responsible for raising purchase orders also to have the power to sign the cheque."

He calls for a clearer definition of responsibilities within companies. A clear e-mail policy is a good place to start. Stephenson feels that too many companies are now giving their employees unlimited, full e-mail and Internet access. This, he says, can be dangerous. "The company is legally liable for anything that goes out on the company e-mail. This leaves them open to abuse from malicious employees as well as unintentional mistakes. There may be cause, in some cases, to review policies, separating business and personal e-mails may be advisable and even stopping some employees from sending e-mails outside the company altogether."

But security is not just a technical issue. Stephenson says human resources should be making sure that employees are fully aware of company e-mail policy and of the repercussions if rules are transgressed.

Serious advice should also be sought when a company looks to dump hardware, according to Stephenson. "Storage of any kind, be it tapes or hardware discs, will hold confidential and sensitive data.

"While the Data Protection Act demands that companies take adequate action to safeguard confidential information there is also the loss of face that companies can suffer. There is an inherent responsibility to take care of employees and clients."

So as IT gets more complicated and ubiquitous, can we expect to see the problem of internal IT security getting worse? Stephenson thinks so. "It will get worse before it gets better. We'll see a few major companies humiliated by a security disaster, then it will be on the agenda and become an issue that all companies will have to face."

Read more on Hackers and cybercrime prevention