Remote workers are the weakest link

4 Mar 2005

Ensuring remote workers are not a security threat to organisations has become the top priority for Irish security professionals this year, a representative group has said.

The local chapter of the Information Systems Security Association (ISSA) has unveiled survey data indicating what projects are high on the agenda for the coming year.

The ISSA conducted an online survey of its Irish membership in January. Respondents were also asked about the projects they had planned for 2004 and which of those were completed during that year.

Remote access has jumped from third in 2004 to first position on the security manager’s to do list for 2005. “As far as mobile devices are concerned, everything you can connect to your infrastructure is going to be a new threat,” said Brian Honan, IT consultant and ISSA member. He added that this would have an impact on acceptable usage procedures within companies. “For example, do your policies state that a user can connect their iPod to their PC?”

Compliance is clearly the major theme for 2005, as several of the leading projects for this year relate to it. “There are a lot of new projects for this year that weren’t there last year,” Honan commented. Compliance itself is the accorded the second highest priority for the year, but it also has a bearing on other agenda items such as documentation (fourth place), staff awareness (fifth place), BS7799/ISO17799 certification (sixth place) and security audits (seventh place).

Those polled for the survey believe there is some confusion over what compliance will actually require companies to do. There is also some discussion as to whether it’s strictly an IT problem or whether it should be driven by the business, Honan said. Although compliance applies most closely to heavily regulated industries such as financial services and healthcare, it will have a trickle-down effect to partners and suppliers of these organisations, he added.

“2005 is still going to be the year of people and processes; I don’t think we’re going to get away with not doing documentation this year, but the effort required is underestimated,” Honan warned.

Other threats to watch during the year include spam and spyware, the report indicates. “Spam is going to get worse before it gets better – it’s becoming more sophisticated and harder to detect,” said Honan. “Spyware will become a higher priority, particularly as it starts taking resources from PCs and eating bandwidth.”

The 2004 figures showed a somewhat different set of priorities; Network security was the top priority last year; this comprises tasks such as hardening operating systems, securing machines and putting in place controls such as gateways and filters. The second most important category was implementing systems to fight viruses and malware; remote access and securing mobile users was in third place and fighting spam was considered the fourth most important task. Other priorities, in order of importance, were gateway controls; patching; information security policies; deploying intrusion detection systems; implementing business continuity; access controls; and application security.

The survey indicated some notable differences between what projects had been planned and what ended up actually being completed. Network security was the most implemented of all the planned tasks. Remote access was the second most completed project, despite having been third on the list of priorities.

The third most completed work involved tackling spam, up from fourth in the priority list for the year. “More [organisations] delivered spam projects than had planned to,” said Honan, who explained why the issue rose in importance over the year. “Once the CEO or sales manager started taking minutes per day to delete spam, it became a business problem.”

Combating viruses and worms, which had been the second highest priority, ended up being fourth on the list of projects undertaken last year. According to Honan, only eight out of 10 respondents who had planned to deploy and manage antivirus systems actually completed the job.

Software patching and policies suffered most in the shakeup as they fell to eighth and ninth place respectively on the list of tasks accomplished in 2004, having been much higher on the original list of priorities. “A lot of people spend time firefighting and are not able to deal with problems,” Honan remarked. He suggested that documentation suffered partly because it’s a task that tends to be left to the IT manager whereas many believe it ought to be handled by the human resources or legal department.

Patching suffered because “it’s a difficult job to do,” Honan added. In addition, some security personnel reported that their operating systems were too old to take advantage of the most up-to-date software fixes.

The ISSA is a non-profit and vendor-neutral organisation of security professionals which aims to to educate and cross-skill IT security professionals. It has more than 90 chapters and 10,000 members throughout the world, more than 300 of which are based in Ireland.

By Gordon Smith