Guarding against net threats

1 Oct 2007

What are Irish companies’ options for securing their business against disruptions from internal and external threats?

As companies become more connected and IT becomes central to how they function, there’s an ever-greater chance that any loss of data could cause serious disruption to the business.

Most businesses are familiar with the possible danger of leaving networks unsecured from outside attack and there is a raft of products to guard against this.

CheckPoint Software Technologies is one of the leading suppliers of IT security systems and David Moss points out that it now sells a device that handles most of the major threats a typical small business is likely to encounter.

“This UTM [unified threat management] system protects against the likes of spyware, viruses and network attacks from a single device, saving companies from having to manage multiple hardware or software systems,” he says.

Tiernan Quinn, sector director of financial services with Eircom, points out that many network security services are now available as a managed service provided by a third-party company.

This has two benefits for a business: it can ‘outsource’ management of a tricky IT function to avoid having to do so itself. More importantly, a managed service model works by fixed regular payments on a monthly or quarterly basis — allowing customers to save money up front. “There’s no significant capital expenditure in terms of buying servers and software licences,” says Quinn.

However, many Irish small and medium sized enterprises don’t realise where even greater risks lie, according to Steven Blanche, network services manager with Ergo. “They are well aware of the potential of external threats but unaware of internal ones,” he comments. Ergo recently held a customer discussion forum where this has emerged.

“The majority of threats and theft of data usually comes from staff members. There’s a need to lock down removable devices like USB drives,” says Blanche. One customer hired an employee who worked in sales for just three weeks. Shortly after, he left to work for a direct competitor and a customer database was downloaded.

“There’s no way to prove the two are connected, but this kind of situation is preventable,” Blanche says. Any organisation with sensitive information can take steps by using software tools that lock down all hardware from having material saved to removable media like DVDs, CDs, floppy disks or USB keys.

“This won’t let anyone copy unless they have been specifically granted permission or if the user is an exceptional case,” he explains. “You can even disable the clipboard in Microsoft Office so people can read documents but not copy them. That’s an extreme example, but it can be done.”

Customers often don’t see the internal threat — someone accidentally deletes an important file or else there is no backup. Blanch stresses that this doesn’t mean suspecting employees as this behaviour is often accidental and not malicious.

Regulatory compliance is compelling large enterprises to implement new technology to protect their data and plan for keeping the business running in the event of a system failure.

Small businesses shouldn’t make the mistake of assuming similar pressures don’t apply to them, says Quinn: “I don’t believe it is an excuse. If you look at the Companies Act and the obligations of directors it involves, they have to sign up to ensure they have plans in place for business to continue.”

Echoing Blanche’s concerns, he adds: “I don’t think that message has got through comprehensively yet, especially for small organisations.”

At the simplest level, this means backing up data to ensure that it can be recovered with minimal disruption to the business. According to Quinn, there is a range of backup options that vary according to business needs. Backing up data over the internet to a secure location is becoming increasingly popular.

“The arrival of broadband on a nationwide basis is such that people don’t have an excuse for not doing online backups of their critical business information,” says Quinn.

The move from large software upgrades to incremental changes through the release of patches has been another trend. According to Elma Cusack, regional sales manager for HP software, the performance of a system may be impacted by applying a software patch without testing it.

“Companies in Ireland don’t perform enough tests of the applications they run,” she says. “In a medium-sized enterprise, you can have a number of applications sharing infrastructure and a change on one can impact on the others.”

Cusack recommends companies put in place processes and procedures to mitigate against this kind of risk: “If it is a fairly complex process, you should have the technology in place to support that.”

There are several advantages to using software tools like this, she adds: “You reduce the cost and you are able to audit the process afterwards.” This, she maintains, ties in to the growing requirements around regulatory compliance.

“Compliance is seen as a costly overhead but it can be an opportunity to achieve benefits through having greater visibility of the risks to the organisation,” Cusack concludes.

By Gordon Smith