Safe from harm

Until recently, little attention has been placed on securing the real corporate valuables ­ – the data, information and knowledge that is held within and passes through IT systems.

IT managers used to believe that protecting the perimeter of the corporate network was sufficient, with security traditionally focused on protecting corporate IT assets, such as computer systems, datacentres, network infrastructure and business applications.

But with increased remote working and the possibility of rich electronic pickings in commercial data, attacks have become more complex and common. According to Tim Jennings, research director at analyst Butler Group, companies now need to look beyond the traditional security tools of user identification and authentication.

“Most businesses can point to malware detection, firewalls, email security measures, identity and access management and any number of other different elements designed to keep attacks at bay,” he says. “But it is evident that the majority of security breaches are attributable to a failure of process, rather than of technology.”

Certainly, documented security policies, certification and user education have been insufficient for the government departments in the headlines recently over data losses.

Organisations are waking up to the fact that their data is an important asset and that they have a duty of care towards the information in their custody. However, despite the high-profile security breaches, most organisations have very few controls in place to monitor their corporate information.

“The security measures attempt to erect fences, but they do not track what happens to the assets that sit behind them,” says Jennings. “There is rarely anyone with a clear mandate to manage and safeguard the information.”

For Debbie Moore, finance and IT director at marketing consultancy Other, the risk of keeping data on notebook computers was brought home when a portable device was dropped and the data destroyed.

“In the past, a lot of our work and information did not carry the same levels of commercial sensitivity,” she says. “But today we are very aware that we are responsible for our client data and we have to take much more care in the processes we employ to safeguard it.”

The pain of reconstructing lost data from a notebook that had not been backed up brought security issues to the fore.

“People have now become much more switched on to the question of security and their personal responsibility; we also realised that as our way of working changes, so must our security procedures,” says Moore.

External regulatory regimes regarding responsibility for the care of data and information are likely to extend across the public and private sectors in the next three years. Indeed, the Conservative party has recently proposed to make it an offence for government employees to neglect their duty of care to information management.

It seems likely that responsibility for information management will continue to rise to the top of everybody’s agenda.

Organisations, therefore, need to be seen by their customers, stakeholders and partners as safe custodians of corporate information assets.

The shape and size of security risks has also changed greatly over the past few years. Ian Liddell, policy development and quality manager at Brunel University, points to email as a prime example.

“Four years ago, we handled between 20,000 and 40,000 email messages per day,” he says. “Today we are averaging three million messages per day, and on a busy spamming day, such as the recent US Super Bowl event, email levels rose to almost four million.”

With spam accounting for up to 96 per cent of total internet traffic in 2007, according to a recent report by security specialists PineApp and Commtouch, email handling is no longer simply a question of making sure that the firewall and anti-virus software are up to date.

“We have to up our game and make sure the bad material keeps being turned away, but that legitimate messages keep coming through. We cannot rely exclusively on the security software; we need the input of the professional users to help us differentiate the content of the genuine messages from the spam,” says Liddell.

“Imagine the magnitude of the task if Brunel won a new research project looking into the side effects of Viagra. Security can no longer be managed from the computer centre; it has to be proactively managed within the business.”

The days of the high-profile teenager hacking for kicks are over; fraudsters have become better organised and more resourceful. David Porter, head of security and risk at information intelligence consultant Detica, says one of the biggest and fastest-growing security threats will come from specialised, criminalised groups.

“We are now coming across an increasing consolidation of financial criminals working in organised networks, colluding with compromised insiders, exploiting the data complexity explosion and benefiting from lax management policies and practices,” he says.

“A key security concern for companies has to be the fusion of insider and organised third-party fraud.”