OPINION: The misdirection of security budgets due to a lack of understanding of the problems facing organisations must be addressed by ICT practitioners.
If there is anything positive to be drawn from the events of September 11, it's that sharper focus has been given to the importance of IT security planning.
The need for continual vigilance to preserve business continuity, and for rapid and effective response when it fails, was tested as never before.
While terrorism has added a new dimension to ICT security, the fundamentals remain unchanged and hopefully the WTC and Pentagon experience will create better awareness at executive management and board level of the need to give ICT security budgets the same financial priority as taxes and executive salaries.
Prudent corporations have moved quickly since September to quantify the risk of massive failure and manage its consequences through the establishment of new procedures, confirming again that the human factor is at least as important as secure technology.
The evolution of the chief security officer as a key operative in the management hierarchy is a welcome development, integrating the work of specialised ICT professionals to secure enterprise technology and the management of the weakest link in the whole process-the user.
Most IT professionals recognise that while the danger of hacker intrusion, viruses, and denial of service attacks are ever present, the greater threat of cybercrime comes from within the organisation itself.
Whether through malice or carelessness, the network user is ideally placed to wreak havoc; weak password controls, indifferent network access management and sloppy policy enforcement make it easy.
A major FBI survey in the US a few months ago showed that corporations recognised that more than 80 percent of computer-based criminal attacks could be expected to originate from within their organisations.
Against this, parallel surveys have shown that corporations spent 80 percent of their security budgets guarding against external attack. It's like bolting the door but leaving the windows open. The misdirection of these resources points squarely to a lack of understanding by executive management of internal threats, an issue which must be addressed by ICT practitioners.
Management must be made aware of the risks it faces, and learn by persuasion before the event and not by experience when the damage is done. Support for those in information technology roles charged with securing the enterprise's knowledge capital, must start from the top down.
Organisations have to know precisely who among their staff have access to sensitive information and at what level. They must be able to close down dormant user accounts and those of ex-employees quickly.
It sounds simplistic, but there are still organisations that fail to challenge "visitors" that wander in and log onto a vacant PC, which allow users to have passwords like "password" or "fred" (usually displayed on a sticky note on the monitor) and generally have no considered, enforced internal security policy. The solution lies in user awareness, and that means having security education programs in place through the enterprise.
Cybercriminals know that a corporation's information about its customers, as well as a company's intellectual capital, can be sold on the open market. Customer data can be used to misappropriate funds, and intellectual capital can be auctioned to the highest bidder. They have quickly come to recognise the opportunities available to them through lax security practices.
Law enforcement agencies, particularly in Australia, have been comparatively quick to recognise and meet the criminal challenge, but their race is uphill against rapidly developing new technology and the swelling ranks of corporate users. The pervasive nature of ICT in general and the Internet in particular adds to their task.
So do important considerations in protecting civil freedom and privacy in the framing of legislation to counter cybercrime, an area in which the Australian Computer Society has been particularly active. Until those in management positions appreciate that their two most precious assets, their people and their data, must exist together in a trusted environment under constant scrutiny, the value of each will rapidly diminish.
Richard Hogg is National president of the Australian Computer Society (ACS). The ACS is the recognised association for Information Technology (IT) professionals, attracting a membership (over 16,000) from all levels of the IT industry and providing a wide range of services. A member of the Australian Council of Professions, the ACS is the guardian of professional ethics and standards in the IT industry, with a commitment to the wider community to ensure the beneficial use of IT.
Visit this page for other ACS articles published on ZDNet Australia.
