Paul Simmonds, ICI global information security director, has a two-fold philosophy: “Listen to what the business wants and keep it simple.”

Ensuring security for the paints and adhesives specialist, which is now part of manufacturing giant Akzo Nobel, has specific challenges, but Simmonds believes this straightforward approach leads to good results for all companies, from large corporates to small and medium-sized enterprises (SMEs).

“A basic principle is that complexity is the enemy of good security,” he says. “By delivering secure systems that follow the path of least resistance, you are more likely to succeed and avoid the yellow Post-It sticker under the PC. “But bake security in; don’t bolt it on.”

Beyond these principles, Simmonds believes you can afford to cast a wary eye on the latest security technologies.

“Data leakage prevention (DLP) is being hyped and everyone is trying to flog it,” he says. “Established vendors are tweaking existing products to DLP, while there are a whole bunch of startups selling it. But vendors are always telling you that you have a big problem and they will solve it for you.

“We have always done DLP at ICI,” he adds, pointing out that all laptops are encrypted ­ – a rule that was mandated five years ago. “We follow the 80/20 rule ­ – 80 per cent of security is about people, processes and procedures and only 20 per cent is about technology. As the saying goes: ‘If you think technology will solve the problem, then you don’t understand the problem.’ But it can be hard to ignore a good salesman.”

A particular security challenge for ICI as a global company is scaling up. Simmonds says a lot of technology is designed by small startups with a small-company mentality, and such firms do not necessarily think about how the product can be rolled out on a large scale.

“However, big corporates have people such as me to make things work more easily, rather than IT managers charged with doing security part-time,” says Simmonds.

Being able to focus on security without distractions is a boon, and several people in Simmonds’ team act as internal consultants for the company.

“By working with the business as an internal resource, we can find out what the business wants to do and enable it to do it securely,” he says.

“We have a good relationship with the business and a healthy grapevine, but nothing is foolproof and the danger is when something is not big enough to bubble up to our attention. The further away you get from the corporate locus of control, which is in London, the greater the risk.”

With about 26,000 employees in 55 countries, keeping tabs on what everyone is doing in every site is an impossible challenge ­ – but good communication pays dividends.

“We have done a reasonably good job in getting the message out to the depths of the business,” says Simmonds, who mentions one particular business trip involving a not-too-onerous three-night stay at the Hilton hotel in Phuket, Thailand.

“I went out in the summer of 2006 to talk about the secure wireless project we were doing with Aruba Networks and had meetings with the regional IT managers for Asia. All these people were clamouring for wireless and sometimes wireless had been implemented below the corporate radar.

“I pressed the flesh and got the security message across about where to go for help. I let people know that after the wireless network had been rolled out, the gloves were off and they should come clean and do wireless properly and securely.”

The amnesty worked and the business is using wireless securely under the corporate umbrella, but ongoing vigilance against security threats remain a priority and ICI uses scanning software from Qualys to detect rogue access points on its network.

“QualysGuard is a pure vulnerability assessment tool and looks at every single active IP address on the network. It applies a tree of tests in the most efficient way and works out if you have not applied a patch or have a vulnerability,” says Simmonds.

ICI faces the normal security threats, he says. But what is far from mundane is hackers’ and spammers’ investment into their criminal activities compared with the amounts legitimate businesses are investing in security.

“ICI is not that different from everyone else in the threats we face, with the exception of banks,” says Simmonds.

“We are facing the same old nonsense ­ – but the problem is the bad guys are getting more professional and are doing a better job than businesses of training their people ­ – even paying for their education at universities ­ – with the result that they are getting a better return on investment.”

Criminal professionalism means the threat is moving from email to the web, as companies are more adept at preventing email-borne viruses.

Simmonds has reacted with new technological defences.

“Most anti-virus companies do a reasonably good job of stopping emails with a virus, such as the Rudolph screensaver at Christmas, on which if you clicked you executed a virus,” he says.

“Many companies will block all executables, but we can’t do that because the nature of our business is so diverse and we need to be able to send rich multimedia content, such as video files. Our solution is to put 100 per cent of emails through MessageLabs for screening.”

More than 100 million emails bound for ICI are screened by MessageLabs every year and of them, three to five per cent are malicious, which Simmonds says is a normal percentage figure for corporations.

However, spam is more slippery. It is not surprising some junk mail gets through when 65 to 75 per cent of emails sent to ICI contain spam. IT directors need to be alert, though ­ – Simmonds says cyber criminals are increasingly using spam to entice users to click on web sites that contain viruses.

“They have moved from email to the web and a lot of spam tries to get you to click on harmful sites that have not been categorised by a web filtering service, or on genuine sites with vulnerabilities. Employees use web mail and personal email so spam can leak in,” says Simmonds.