• Home Page
• News
• FTA: IT security

Countering the threat within

FASTtalk October 2008

The broadband revolution has allowed companies to increasingly use the Internet to reach their customers and enable their staff to be more mobile.

IT activities now extend way beyond the traditional physical network boundaries, but as a result, are those IT systems secure? According to the 2008 Information Security Breaches Survey conducted by the Department for Business Enterprise & Regulatory Reform and PriceWaterHouseCoopers, for the first time small businesses are citing security as a high priority and a key focus, indicating that IT security is no longer the domain of large companies.

The report highlighted that while security controls are improving, exposures remain around the loss or exposure of confidential information. Personal technology, from devices such as iPods to USB storage sticks are actively facilitating this theft from both publishers and companies themselves, with 67% of the companies interviewed for the 2008 Breaches Survey admitting that they do nothing to prevent confidential data leaving on USB sticks, and 84% fail to scan outgoing email for confidential data.

All organisations need to understand their liabilities and understand how supplying a user with a computer can have extremely serious consequences if that user is not correctly trained, or is unaware of the consequences of simple everyday actions like sending an email.

The security landscape

Setting the scene for the roundtable, Clive Longbottom from Quocirca suggested that in the past, few people had access to computers, with everyone running terminals, and if you wanted to get data out of an appliance, you had to pull it out. Today, things have changed markedly. ”Now, we look at integrating all the systems and we open up our systems to partners. People have sucked Intellectual Property down and our biggest worry is USB data leakage and iPhones that have 16MB of storage. We have to look at security holistically, and interest the people, while taking away their security complexity. If not, you might as well put Intellectual Property in the internal post with your biggest competitor’s address on it.”

David Lacey from the BCS Security Forum has a long-standing interest in the insider threat, having seen security risks first-hand in a previous senior IT role at Royal Mail. He also has a book, ‘Managing the Human Factor in Information Security’ coming out soon. He says there have always been people eager to get their hands on corporate data. “In the oil industry in the late 1980s, there was a network of intermediaries buying and selling information about contracts and money laundering, yet no-one knew it was going on. You can’t go to police and say, ‘I think someone’s stealing information.’ They’ll ask you what evidence you have. In Royal Mail, we were losing up to 35 laptops a month, but we got it down to zero. We really do have some serious problems at the moment. If I was in organised crime, I’d seriously consider getting a job as a junior consultant within government.”

Longbottom agrees. “We’ve got into a mindset where we say, ‘Let’s just make ourselves a bit more secure than everyone else.’ That is not a valid way forward anymore. Nationwide was fined nearly a million pounds for the loss of a laptop, but that was just a slap on the wrist.” Andy Baldin, VP EMEA at LANDesk says the current business case for spending on security still seems to be based on a simple ‘tick in the box’ mentality that often only covers the basics such as a firewall and anti-virus software whereas the real worry is keeping confidential data within the organisation, rather than wondering around on USB sticks. I was speaking to a large organisation in the UK, and they were very focused on knowing when data was being copied onto a USB stick and by whom. That’s the problem people want to solve. Organisations want to know what data is being moved around. But there’s cost associated with implementing that and issues around business flexibility. It’s important to balance security policies with people’s ability to do their jobs - wholesale restriction of data copying onto USB sticks (or similar) is too draconian. Monitoring what’s happening and then taking appropriate action will go further in finding the root causes of missing confidential data.” he says.

Meanwhile, Webroot Channel Director Ian Moyse says the problem for smaller organisations is simply having the skills to tackle security. “Most businesses that are sub-250 people organisations are challenged because they don’t have a security expert. And yet many of those sub-250 companies are suppliers and they are the real hub in the business chain. Larger organisations are saying: ‘If you don’t follow these policies and procedures, we’re not going to do business with you.’”

Tackling social networking 

Moyse believes another problem is that a key demonstration of the human factor, social networking, is not being adequately tackled, or even understood by organisations. “People are used to using social networking at home but don’t want to admit they’re on Facebook at work. Yet it’s not just Facebook that’s the problem. I can map out a company’s structure really easily from Linked In. There is a lot of valuable information in there about information structures.”

Clive Longbottom says there is an opportunity for vendors over Instant Messaging and social networking. “Although 80% of companies say they have a formal policy on Instant Messaging, most believe it is still being used within the organisation. Instant Messaging and social networking can be used to track whatever information is going out on their sites. You can help make sure Intellectual Property is not going out of the organisation.” Sarah Wootton, Head of Customer Acquisition for FAST, says she is constantly surprised by the number of organisations that still will not admit their staff are using social networking. “I’m staggered at the number of organisations that do not think their people are doing it and they are unaware of the risk of not doing anything about it.”

Robert Bond, a partner and specialist in Intellectual Property law at law firm Speechly Bircham, says the most innocuous social networking inquiry can give the most away. “There is that line, ‘What are you doing at the moment?’ which can be a real giveaway.” Webroot’s Moyse believes there is a need to educate users in some best practices. “A number of organisations have tried to ban Facebook, but others argue that you can’t ban it and that turning it off is unfair. What you can do is set a policy that says ‘you’re being audited.’ If you know someone’s watching you, you behave differently, just as if you see a policeman, you’re likely to slow down.”

Stephen Harris, ICT services co-ordinator of FAST customer BMS World Mission, asked what precautions social networking users should take if they’re asked while on a networking site, what work they’re doing. “When you are on a social networking site, and you are making statements about the business, there’s a good chance that’s contradicting a clause in your contract of employment,” says Quocirca’s Clive Longbottom.

Real world policies and procedures 

With the focus on contracts, policies and procedures, Sarah Wootton from FAST believes smaller organisations fail to understand how they should tackle developing their security policies. “There is a serious lack of knowledge in smaller businesses over how to write a half decent policy."

We see a lot of acceptable use policies, but not security policies, and we’re seeing very little convergence of the two. Bigger companies throw ISO 27001 or ITIL at us, but we really sit on the side of the IT Manager, who doesn’t hold his own budget and reports into the Finance Director. They are really struggling, and they’re expected to keep the business secure. There is also a basic lack of understanding about vicarious liability. If someone puts something on a blog, how does that reflect on the organisation? There is a real ignorance about who holds liability.”

Peter Dam, eToken Technical Consultant at security specialist and FAST customer Aladdin says the security industry can help the user be more secure. But what sometimes the user really needs is an effective tool, a bit like a key. “If as an end-user, I had a security ‘tool’, like a doorkey, or something similar for an organisation, I have something more tangible to accomplish security with. If they are more secure through hardware, just as they are from using a key at home, then the computer ID and home ID will become one in the digital world. “As for policies, even if you believe someone is breaking a policy at work, you still need to know that the person ‘breaking’ the policy is actually the person him or herself. You need to be able to both enforce the policy and prove to an end-user that they are doing it.”

Robert Bond from law firm Speechly Bircham says one of the major problems that can arise with security policies is that they may be unenforceable. "I know of a case where the boss’s email was spooked by an employee and the head of IT vowed to throw the book at them. They had a 90-page security policy but because we’d infringed the rights of individuals under employment law there was nothing we could do about the guy. A security policy is completely useless if it doesn’t comply with the law. For example, it may have been cut and pasted and there are things you can’t do in Germany that you can do here. And US style policies don’t work in Europe either. A company has to implement policies and procedures but it’s no good having those policies if they infringe human rights. You cannot give people the chance to say ‘See you in court, because your policies are unenforceable."

Protecting the users from themselves 

Andy Baldin from LANDesk says often the problem in protecting against security breaches comes from the security naiveté of the user. “Often the user is competent in their role, but they’re not security-competent, so they’ll attach the wrong document that is Company Confidential to an email. Or they’ll send it to the wrong addressee. What the user really wants is something that detects that a document is Company Confidential, and prevents them sending it."..."I’ve never done anything like that, sent an email to the wrong address,” jokes Federation chairman John Lovelock, mimicking a Pinocchio-like nose."

Ian Moyse from Webroot agrees that the technology should protect the user from making an error, while Stephen Harris from BMS World Mission suggests that users of Microsoft Exchange can be protected because Exchange puts a 5-10 minute delay in each email.

David Lacey from the BCS Security Forum believes that the human factor is frequently to blame. “People often go on autopilot in their job, and they just won’t see something coming from ‘left field.’ In the same way, if you’re driving along and a child runs out in the road, you may well say “I didn’t see them” and that really is the case. Security’s like a Swiss cheese, there are lots of holes. And in people security, you just don’t have enough layers.”

The Federation’s Chief Executive John Lovelock says putting the problem right generally comes back to best practice. “I need to get a best practice policy from the board. You’ve got to take the whole package and get the board behind it. If your board doesn’t buy into your security policy, it isn’t going anywhere.”

Security and new technologies

Another area that security-pressed users also have to bear in mind is the impact of new technologies such as Software as a Service (SaaS), security as a service, and virtualisation. Andy Baldin from LANDesk says he welcomes new technologies, which themselves place an onus on vendors to deliver on security. “If you’re not delivering SaaS in a secure environment, you’re not going to be successful. Cloud Computing? If I was a small company, I wouldn’t have a clue as to how that’s going to work and I’d be quite frightened about what I’d heard around the table today. I’d want all the help I could get to implement simple, but effective security policies.”

Ian Moyse believes utility-based computing is the way forward security-wise for smaller companies. “With Security SaaS you are sharing your costs among thousands of businesses. You make the connections at a price that fits your business. But you still have to do your due diligence. You’ll have people trying to sell you services who’ve been in business 5 minutes, saying ‘just look at my website.’ Typically, however, you can justify a return on investment of between 20% and 40% more valuable security at a price 20% - 40% cheaper than you can do it yourself, all based on utility computing.”

Summing up the state of security, Quocirca’s Clive Longbottom re-iterates that a holistic approach that ignores the technology is the way forward. “If people can move away from technology and look at security with the process, then it makes absolutely no difference what you’re running, whether it’s a Dell server or an IBM machine. If it’s secure, it’s secure. It’s a shame if we can’t get people to understand that.”

Lacey is less optimistic. “I think we’ll see a lot of changes, and a lot of new threats. We still don’t do enough on the people side; organisations should spend at least 10% of their security budget on awareness. You can change people’s behaviour, but it needs an entirely new approach to make things stickier.”

---

The measures companies can put in place to prevent data leakage and how to integrate security into normal business behaviour through technology controls, policies and staff education were discussed at the recent FASTtalk Roundtable whose participants included Andy Pearce and Sarah Wootton from FAST, John Lovelock Chief Executive of FAST IiS, David Lacey from the BCS Security Forum, plus Federation Members Webroot, LANDesk, Aladdin and Speechly Bircham, FAST customer BMS World Mission, and analyst group Quocirca.

Shared Content: Page : (299) News articles Area : footer