Putting people first

16 Aug 2005

If there has been one consistent theme in the tenor of security announcements over the past year, it is that people remain critical to any organisation’s IT security plans. They can be the strongest link where security is strong, or the weakest where it is not. As a whole, the security debate often has less to do with the finer points of firewalls and more to do with the fact that it is an area being driven increasingly by business needs — and not necessarily on a journey of its own choosing.

To take two examples, broadband brings with it the prospect of home working, while devices such as smart phones and the BlackBerry allow access to email from any location. While they obviously empower employees and potentially boost productivity, both of these options represent a significant security headache for the IT manager, because they require an extension of the traditional security perimeter far beyond the physical walls of a company’s offices. With this, the means to address these new security challenges become more complex.

In fact, enabling remote workers to access systems safely is the top priority for Irish security professionals in 2005, a survey by the Information Systems Security Association (ISSA) found. The same issue was accorded third place last year, proving the point about its growing popularity. Simply put, there’s no alternative — what security administrator would tell his CEO he can’t have email delivered to his mobile phone or handheld device because it’s potentially not secure?

The people factor is just as important — and arguably more so — when it comes to what goes on within the four walls of an office. Are staff adequately informed about what they can and can’t do when it comes to accessing the internet during working hours, for example? Is there scanning or filtering technology that supports this policy? What are the penalties for misuse and are they applied rigorously and consistently? Michael Soden’s ousting from Bank of Ireland last year for visiting websites with adult content showed the example of a security policy in action and may have focused the minds of many in corporate Ireland. But the absence of any such policy leaves far too much to chance. Incredibly, it is possible to successfully defend a case of dismissal for looking at inappropriate content online if the company has no policy to state that this practice is forbidden.

Corporate espionage can and does happen. If the system is open enough to allow them, some curious people may decide that the folder marked ‘confidential’ sitting on a file server could be worth a quick look — whether or not it’s any of their business. There have been reported incidents of administrators reading other people’s emails. In some cases, passing information between companies also takes place. Access control technology now lets security managers apply rules as to who is allowed to view what content on the internal network.

Security is also becoming more closely bound up with legal requirements, whether it is directorial duty of care or preventing actual crime. Where the latter is concerned, nobody can accuse the Garda Síochána of not trying; at almost every single security event in the past eight months, a representative of the Bureau of Fraud Investigation has been on hand to tell delegates that the gardaí can provide valuable direction in the event of a computer-related incident. The mantra is communication in confidence — the gardaí get an insight into the kinds of activities taking place and the business community gets professional advice about how to conduct themselves. Whether to press ahead with formal charges is a matter for the injured party, the gardaí maintain.

What of regulatory compliance? It’s routinely trotted out as a key reason for allocating a budget to security. However, a recent briefing note from the IT analyst firm Gartner flew in the face of popular thinking when it claimed the spending in this area is out of proportion to the actual requirements of legislation such as the Sarbanes-Oxley Act of 2002. The mixed message was reflected locally in an ISSA survey, which found respondents were confused over what compliance will actually require them to do. There is also some discussion as to whether it’s strictly an IT problem or whether it should be driven by the business.

Patching is another pressing issue. Local and international statistics routinely show that the most commonly found viruses usually exploit flaws in software for which there is a known fix or patch. If only it was as simple as that. The need to ensure critical vulnerabilities are patched is a trade off against having the time and resources to do so. With the IT community more vigilant than ever and more security incidents reported, more patches are issued, which only adds to the problem.

Patches need to be tested to ensure they will work, that they are compatible with all of the applications the business requires. They may not even be relevant in every case and a good security policy should take account of that. If a particular server is running the application that’s vital to a company’s business, the decision must be made as to whether the risk is worth taking an important computer offline while the patch is installed and tested.

The decline of the password is something we’re hearing more about, but no single alternative has emerged as the clear winner. Some organisations favour smart cards; others are considering token devices that generate one-time passwords. Others still are investigating biometrics — although the latter technology has hardly received a boost with the news that plans to introduce biometric details in passports has been shelved.

All of these developments mean IT security is an environment in constant flux. What we guard against today may leave us unprotected from tomorrow’s risks. Those risks can’t be avoided but with a sound infrastructure in place, they can at least be managed.

By Gordon Smith