Threatened from all sides

Security problems can come from almost anywhere

Information security is no longer merely a technical problem – ­ it has become a business imperative. Organisations that have failed to grasp this fact can find their reputations shredded as quickly as sensitive data can be smuggled out of their networks.

Those responsible for information security management must therefore have a deep understanding of the technology and business processes within the company, and ensure that all information users follow best practice.

“Companies need to bring together IT, security, business, legal, HR and other professional groups to agree levels of acceptable risk and put in place the policies and controls needed to meet these targets,” says Professor Howard Schmidt, president of user group the Information Security Forum.

However, good data security is not just about good housekeeping, it is also a legal requirement. In the UK, the Financial Services Authority has imposed significant fines on organisations that have suffered data breaches as a result of their own negligence. Meanwhile, the Information Commissioner is seeking tougher powers to enforce data protection laws.

IT security chiefs should use the guidance from these regulators to shape their policies, says Chris Coulter, commercial lawyer and partner at law firm Morrison & Foerster. “The Information Commissioner is now very clear that encryption on mobile devices is a good thing and that failure to encrypt is going to be an obvious breach of the law if the data is subsequently lost,” he says.

“Clearly, the increasing prevalence of mobile devices is placing pressure on IT leaders to ensure that out-of-the-office data is properly protected and that users understand the basics of security – ­ lock doors, password protect devices and don’t leave laptops on trains.”

Recent high-profile data breaches have pushed IT security up the boardroom agenda, and IT departments are in the spotlight like never before.

Security has always been a priority – at Meggitt Avionics ­ it goes with the territory of manufacturing components for military aircraft. But increasingly the business understands the need for a holistic approach to IT security, rather than relying on point solutions.

Identity management has become a major issue for Meggitt Avionics. The firm uses single sign-on technology from Imprivata, which includes biometric authentication to control access to the corporate network, applications and sensitive data.

“Security must be part and parcel of everyday life,” says Stewart Gale, network services manager at Meggitt Avionics. “All our users understand the importance of data security and that any transmitted data has to be approved and cleared before being moved anywhere.”

A similar ethos is prevalent at the Scottish Government, where the IT security focus has shifted from protecting the network to securing data. This has required greater controls around process, says Ben Plouviez, head of information services at the Scottish Government.

“In the traditional security model we work inside a heavily fortified perimeter that is supposed to keep us safe from the bad people. It’s a model that is showing its age technically as well as failing to meet business needs,” he says.

The trick, according to Plouviez, is to understand the value of the information held and build appropriate security into the data so that if it does go walkabout, the consequences are minimised. “I don’t worry too much about the penetration of our network because if security resides with the piece of data, it will not really be an issue,” says Plouviez.

Fraud, espionage and sabotage continue to be major security challenges and an increasing focus for organisations. However, with cost-cutting measures now high on the corporate agenda and employee redundancies becoming more commonplace, new security threats are starting to emerge. Information theft is set to grow as the economic climate worsens, says David Feldman, vice president of technical services at security consultant PineApp.

“Internal security breaches are on the increase as disgruntled, laid-off workers seek to capitalise on their employer’s data,” he says. These internal threats have the potential to cause greater harm than attacks from external sources since employees often know where the most sensitive data is stored. In tough times, the security message has to be one of increasing vigilance and reducing vulnerabilities.

But IT will get little thanks for providing iron-clad security if in doing so it undermines productivity and business effectiveness. The key is to develop an approach to security that takes into account business needs, user requirements and information resources. Research suggests that insiders are responsible for about 90 per cent of all system attacks. However, almost two thirds of attacks are inadvertent – ­ the result of poor user education rather than malicious intent or nefarious activity, says Feldman.

The majority of users are not intentionally trying to lose, steal or corrupt data – ­ rather, they have little understanding of the impact of their actions. By combining information security strategies that reflect users’ needs with training that highlights potential risks, organisations can improve staff effectiveness and data protection without significant IT investment.

Indeed, many organisations waste a lot of resources securing systems that have no need to hold or process sensitive data in the first place. Delivering security value involves thinking more broadly about all the available mechanisms to reduce risk ­ – not just the implementation of yet another security measure.

At the Scottish Government, the rollout of an electronic records system gave managers the opportunity to review and revise the sensitivity of the information being held.

According to Plouviez, it is the amount of personal and delicate data squirrelled away in unstructured data that interests him. “We are trying to identify and, as far as is consistent with our good business practice, delete the transitory, ephemeral and unimportant stuff that finds its way into our records,” he says. “We have to spot the data that is really at risk, rather than try to guard it all.”

With the recession likely to increase the strain on enterprise security in all its forms, IT chiefs will face some tough decisions. Nick Seaver, security director at professional services firm Deloitte, sums up the challenges: “To add value, organisations need to consider not just the technical aspects and options to implement security technologies and controls, but also whether changing technology, processes and people in the wider organisation may be more efficient.”

In the second part of our definitive guide to security, we explore how security issues are being tackled at some of the UK’s leading organisations