OPINION: Both internal and external security threats must be fought with efficient company policies as much as with the latest technologies.
Information security has never been more important to today's ICT manager; the growing number of malicious worms and hacker intrusions that attack corporate networks continue to demand absolute vigilance.
As the threat not only persists but spreads, the manager's security focus must shift to the human factors involved: risk assessment, security policies, and education of ICT staff and users. This focus is as important as expensive technology.
For years, the bulk of security spending has been devoted to perimeter defence--protecting the enterprise with technology to repel the unwanted intruder.
While something like 75 percent of security funding has gone towards keeping out the bad guys, the realisation has slowly dawned that 75 percent of the attacks originate from inside the firewall.
Employees know that opening e-mail attachments carries real risk, but they still do it. Administrators fail to establish a reliable system for ascribing access rights to critical data, they leave dormant user IDs and orphaned accounts unidentified, and fail to reset passwords regularly.
Non-disclosure policies are set, but rarely refreshed, and seldom put formally in front of employees and business partners on a regular basis.
Given the workload facing most ICT professionals today and the lack of properly qualified support infrastructure, it's understandable--but not excusable--that their houses are not in perfect working order.
There must be a cohesive approach across the organisation to ensure that education and training programs involve everyone concerned--HR, executive management, and consultants. This is particularly true in times of corporate lay-off; disaffected employees facing the door can wreak havoc on their way out unless proper controls over access to systems and data are in place.
Corporate HR philosophy must make it clear that ICT specialists can move in and out of security responsibilities on an upward career path, fulfilling a vital role in the enhancement of the enterprise's information assets.
That said, external threats remain. Determined intruders will always find a way in if they try hard enough. Companies must take a layered approach to the problem; security managers must know where intruders can go once they are in, and what they can do once they get there. And just as importantly, they need to know when their systems are being violated.
A major survey of 600 CIOs in the US late last year showed that only 41 percent would know when they were under attack, confirming previous studies showing companies are simply not aware of security breaches.
The same survey, incidentally, also showed that a third of respondents said that they did not store critical data on a restricted system isolated from less important information.
Bruce Shneier, author of Secrets and Lies; Digital Security in a Networked World, writes that when he hears companies say they have never been hacked, what they mean is that they have never detected that they have been hacked. Once companies start monitoring for intrusion, he says, they are amazed at the level of activity going on that they previously had not seen.
Risk reduction means the establishment of proper security credentials, regular and comprehensive auditing of compliance, and behaviour monitoring--all personnel management imperatives beyond the mere allocation of identifiers and passwords.
Protecting key employees' ability to keep working when disaster strikes is crucial. It means having incident response procedures in place and under continual review, and ensuring system availability for those deputed to keep the show on the road.
However, in all of this there needs to be a level of realism. The cost of protecting the corporate information must be commensurate with the sensitivity of that information.
There is no point in spending a million dollars to protect something worth only tens of thousands. Internal policies and education can accomplish a high level of protection with little capital outlay.
Richard Hogg is National president of the Australian Computer Society (ACS). The ACS is the recognised association for Information Technology (IT) professionals, attracting a membership (over 16,000) from all levels of the IT industry and providing a wide range of services. A member of the Australian Council of Professions, the ACS is the guardian of professional ethics and standards in the IT industry, with a commitment to the wider community to ensure the beneficial use of IT.
Visit this page for other ACS articles published by ZDNet Australia.
