A consultant with 18 years’ experience in computer security, John Alcock (pictured) obviously knows a thing or two about the technology that organisations need to put in place to protect themselves against worms, viruses and other nasties marauding the internet. The longer he does the job, however, the more he realises that people rather than technology are the lynchpin of any effective security framework.
“The way we work in the office and use our IT creates the greatest exposure to a breach of information security. Attacks from hackers and viruses get the most attention, but it is the behaviour of a company’s workers that can create the greatest problems,” argues Alcock, a managing security consultant at Fujitsu Services UK & Ireland.
If that all seems slightly overblown, consider, he says, the ongoing impact of viruses and the employees who seem blissfully unaware of the nature of rogue emails.
“When the I Love You virus was around, it was interesting to note just how many people there were in organisations who thought this was a message of affection and opened it,” he recalls. “For some organisations the most cost-effective thing they can do is improve the education of their people rather than go out and spend a lot of money on technology.”
Alcock maintains that by applying a more consistent IT security policy or even just making workers more aware of how their behaviour can expose the company to attacks, organisations can dramatically reduce the risk of an information security breach and at a much lower cost than buying security technology products.
Although he does not directly criticise the technology vendors that are making hay out of corporations’ growing security fears, he clearly feels that a new perspective is required within the computer security debate: of course technology is important but neither can the human dimension be overstated.
He identifies several weak spots that tend to be neglected by businesses. High on the list is the practice of plugging in personal devices, such as laptops or PDAs, onto a corporate network. Doing so increases the risk of releasing viruses onto the local area network.
Other security no-no’s include: allowing a new joiner or temporary worker to share a log-on account to the corporate networks, which can inadvertently give unauthorised personnel access to sensitive information; letting home-workers print out sensitive documents on the office printer; failing to tell the IT department when an employee has left the company, thus giving them remote access to corporate systems; employees forgetting to lock their PC when away from their desk, giving anybody walking by access to their e-mails and network drives; and maintaining an inadequate password policy. The latter he describes as the single most common security faux pas organisations commit.
When it comes to educating users about security, Alcock favours the softly-softly approach rather than treating employees like naughty schoolchildren who have stepped out of line. And he doesn’t feel it is realistic to ban the social use of work tools such as the internet and email – no more than most organisations would consider prohibiting staff from making non-work calls on their desk phones.
“The main thing is that messages are gently and appropriately reinforced,” he says. “For example, new joiners should be introduced to the policy as part of their induction to the company and then there should be some mechanism by which information is regularly refreshed. Some of the more successful companies treat it as an important professional skill and use their intranets to run awareness campaigns where people are required to answer questions about information security. Others put reminder notices on bulletin boards around the office or on computer screensavers.”
In small or medium-sized businesses, computing security tends to be a manageable if unwelcome and resource-intensive exercise. In larger ones, it can be a nightmare, believes Alcock.
“In large businesses there may be 40,000 employees, each of whom may have several accounts on different systems, and security management is one of the biggest headaches. Without technology and process to help them do it, this management task is almost impossible. So much of our work has been about helping people improve their management capability. By doing that they are taking cost out of their business as well as dealing with the security exposure.”
Unlikely as it seems, one of the biggest problems facing the larger organisation is also very basic: knowing exactly what their IT infrastructure consists of. Who is using what computer? Who is working from home and do we know what equipment they are using? Did employee x return his laptop after he left the company? Questions such as these are sometimes not at all easy to answer but are all vitally important if a company is to put a security management policy in place, says Alcock.
Cynics might say that it suits consultancies such as Fujitsu Siemens to make an issue out of ‘softer’ issues such as security management and employee education – it creates another revenue stream for them. This may be so, but there must be a reason all the same why many chief information officers who have armed themselves to the hilt with the latest security gear can still feel vulnerable to a security breakdown.
They rightly realise that, unless employees buy in to the whole information security agenda, all the technology in the world won’t prevent keep key company data safe and protected.
By Brian Skelly