IT security breaches can damage business quality and effectiveness, yet many companies fail to adopt sufficient measures to reduce the risk.
The chair of the ICC Commission on e-business, IT and telecoms, Talal Abu-Ghazaleh, spoke for a lot of people when he commented recently, 'Implementing security measures can seem an intimidating challenge to managers whose expertise lies in running a company, not an IT department.' IT security is a subject of deep concern for senior company management around the globe. A serious security lapse could have a critical impact on customers. But the tools and techniques that protect against security failure must seem like rocket science to most board members. No wonder it all gets intimidating sometimes.
'I agree, and I would go as far as to say that it's an intimidating task for most IT managers as well,' comments Nick Galea, CEO of Malta-based web security firm Acunetix, though he is quick to paint a generally positive picture. 'That being said, there are plenty of computer consultants and products that are able to implement a good level of network security. CEOs need to understand that good network security is not hard to implement, and with the right selection of tools it does not even need to be expensive,' he adds. However, a little feeling of intimidation may be preferable to overconfidence. 'Web application security is not intimidating to most managers - simply because most managers are completely unaware of the risk that web applications pose without good web security auditing in place,' he warns.
PRIORITISING A SECURITY POLICY
If even the IT experts within the company can be overconfident, what is a CEO supposed to do? The temptation to leave everything to the IT department and trust blindly in their skills must be resisted. 'Thinking that security is something that the IT department should fix is a classic mistake,' believes Dr Ronald de Bruin, head of the Cooperation and Support Department at ENISA, the European Network and Information Security Agency. 'Every company relying on electronic networks and systems should have an IT security policy in place endorsed by its management. As it concerns people, processes and technology together, it is something for the entire organisation. Depending on the size of the organisation, this can be challenging indeed,' he confirms. 'However, not assessing and managing your IT risks can introduce business continuity problems.'
That may be understating the point. The risks to the company's commercial operations can be wide ranging and deeply embarrassing. Businesses whose customers buy online are trusted to handle sensitive and personal data. If that data falls into the wrong hands, customers are justifiably angry. When they get angry, they look for someone to blame - and recent research by Webber Shandwick suggests that customers are likely to blame the head of the company.
Meanwhile, inside the company, IT users who are supposed to be disciplined with their data are likely to blame the IT management if data leaks out. A survey last month from SurfControl, which polled more than 1,000 staff in the UK, the Netherlands, the US, Singapore and Australia, claimed that if information were stolen from their work computer, 64% of staff would blame the company.
It is worth remembering that staff at lower levels in the company are under as much pressure as the IT management and the board of directors. PC users in today's workplaces are expected to remember a lot of different ways to access a lot of different systems, and when working life gets that complicated they are bound to look for shortcuts. 'This explains why the practice of writing password and log-in details on Post-it notes has become so endemic,' says Marc Hudavert, vice president and general manager of security company Actividentity in Paris. 'The overwhelming majority of users are not tech savvy - it's not their job to be ' and streamlining their interaction with the IT infrastructure is an essential component of an effective identity management strategy.' Hudavert's company advises using smart cards, to combine physical and online identity into one package.
INSIDE THREAT MANAGEMENT
Wherever you look in the world of IT security, there are threats and there are solutions. And year by year, old threats retreat towards the horizon as new threats appear. In just the last six months or so, the perceived threat from virus attacks has diminished - at least, less is being said about it, and fewer major attacks have been reported - while the new hot issue is the 'internal threat'.
In a sense, IT security concerns are now swinging back to the oldest and original security threat to the business: the fact that employees need access to company-sensitive data to do their jobs, and it might be the easiest thing in the world for them to walk out of the door with it. In past decades, an employee might need to carry the data out of the door as a printed document. Today, unfortunately, there are much more compact methods of making data take a walk.
'Without the correct thought given to IT security, business managers are allowing their staff to effectively help themselves to company information,' claims Mitchell Feldman, managing director of The Internet Group. 'Whether staff are stealing data through devices such as mobile phones, iPods and external hard disks, or emailing themselves the company's database, 90% of SMBs [small to medium sized businesses] do not have the ability to monitor their staffs effectively.'
The problem is not confined to small-scale data theft, Feldman warns. 'We have also seen a large rise in industrial espionage cases where a disgruntled employee has caused malicious damage to a company's IT system as a result of the company's lax attitude towards internal security. As always, it is not until it is too late that business managers realise their investment into technology has actually come back and bitten them,' he says.
MOVING FORWARD
But if all this seems too intimidating to cope with, the big disasters are rare, and there are always measures a CEO can take within the company that should help to keep the security nightmare in check. These measures are not rocket science. They are the kinds of initiatives that CEOs commonly take in other areas of their business.
CEOs can start by making sure they themselves are up to date on the latest security trends - at least in outline. 'For the people we meet with on the IT side, their biggest challenge is to educate the CEO in terms of the business requirements,' says Neil Larkins, a product manager at software supplier Check Point in the UK.
'Typically the people responsible for the overall decisions won't precisely understand what's involved,' he admits. However, 'The message can be made fairly simple,' he believes, and IT concepts such as perimeter security are not that hard for the IT management to explain to their directors. 'I'm sure things will calm down as people get more educated,' Larkins says.
CEOs can also strive to bring IT and non-IT elements together, breaking down barriers between departmental responsibilities as appropriate. Steve Murphy, UK managing director for Hitachi Data Systems, believes that part of the challenge for CEOs is to devise a holistic strategy to cover people, processes and technology.
'Ensuring cross-pollination of skills and knowledge is essential to prevent weak links in the security chain and it is important for CEOs to promote these practices,' he says. They should pay particular attention to the link between network security and physical security, he believes. 'Electronic and logical security can be extremely effective in preventing malicious or accidental attacks on networks, but this is only part of the story. Physically securing equipment is a frequently neglected part of security and some organisations have paid the price for this. Regularly reviewing security practices as part of the company's overall strategy is fundamental to preventing attacks.'
For a large enterprise, Murphy suggests a review of how many people have keys to the data centre and how secure the room is. For smaller enterprises, check that the keys to the data storage rack have not been left in the lock. 'Taking time to remind all employees that an attacker doesn't need to get through layers of electronic security to get hold of data if he or she can simply walk in and take it will pay dividends,' Murphy says.
If all this adds up to a lot of reasons to be worried, that should be no big surprise. It is an old saying in the IT industry that 'only the paranoid survive'. Maybe a little intimidation is a good thing, if it reminds CEOs that big issues are at stake and that solutions have to be purchased, installed and maintained by technical specialists who need to be encouraged to communicate what they know, and that users at all levels need educating on how to handle IT pressure.
