Simply by operating on a day-to-day basis, companies are risking their reputations.
By serving food, each restaurant is risking getting a bad review, or causing a customer to become unwell. By producing a new car, manufacturers risk encountering technical problems that cause accidents, and by operating in a virtual world or communicating electronically, each company is risking loss of information or security breaches. But that risk must not stop the business from functioning; it simply needs to adequately protect itself.
IT security is not a new phenomenon, but the risks have become more widespread over the years and increased coverage in the press has made it an ongoing hot topic. The stories are always the same – a breach occurs, which ends up costing the company thousands (according to the Department of Trade and Industry’s Information Security Breaches Survey 2002, the average cost of a serious security incident in the U.K. in 2001 was £30,000) in downtime and data loss. It is only the source of the attack that makes each story slightly different. What comes up repeatedly is the issue of exactly where responsibility for preventing these breaches lies. Recent recommendations dictate that accountability for security must be with the Board, but in reality, is this the case? Where should the buck stop when it comes to implementing a solid, workable security policy that embraces BS7799 (or its international equivalent)?
What’s all the fuss about?
Before companies bared all on the Internet, they simply had to focus on keeping the office’s four walls secure. Now, potential threats are everywhere — the shift from paper-based documents to electronic, the internet and changing working practices to enable employees access to the network on the move or from home, have all contributed to the increasing risk of security breaches.
There is a lot more for the IT manager to think about – he or she needs to make sure that all avenues are protected – but without internal support from the board level, they can find themselves fighting a losing battle. This support should not just stop with financial backup and approving budgets. There also needs to be high-level commitment from the board behind the decisions that the managers make, from assessing risks to what systems are implemented. Further, the board are often ignorant, or maybe choose to ignore, some of the important legal issues (e.g. vicarious liability and corporate responsibility), which could mean that the employer/board are responsible for the actions of the employee.
Often the board steps in too late – that is, once a breach occurs. By that time, the costs are being counted, the share price might plummet and the IT manager has some awkward questions to answer. For many organizations, security is viewed purely from a technological standpoint – the risks and solutions are conveyed in a language that only techies can understand. This, however, should no longer be the case. Organisations have a duty to their shareholders, not to mention customers, to protect their organization’s assets. If the board itself does not understand what the organization’s security policy is, how do shareholders know if their investment is being properly protected? If security policies are lax and little communication is shared between the board and the IT department, a breach could result. If it does, it is not only the money that is lost – it is the company’s reputation that suffers long term.
In addition to the organization’s duty to its shareholders, in the U.K. it is legally obliged, under the Data Protection Act, to protect all the private and personal information held on its systems. Data is the company’s most valuable asset, and if that becomes compromised, there are bound to be repercussions. The biggest problem currently facing managers is that as organizations ‘change shape’ in response to market conditions. Working practices are changing at such a rate that policies are not adapting as quickly, leaving security loopholes across the network, which again opens the organization up to attack. Enforcement of such policies, e.g. BS7799, seek to recognize that high level members of the organization need to take more responsibility for its security practices. When personal liability is attached to any breach of legislation, board members finally take more of an active role in the company’s security. After all, in the worst-case scenario, the CEO could find him or herself fighting a prison sentence if not a hefty fine.
Educating the masses
It is already clear that the onus should no longer be placed entirely on the IT manager to do the job. Security does not stop at identifying the risks and implementing the equipment – it is an ongoing process to ensure that the security is working as it should. Solutions alone will not combat the threats – it is no good placing a bolt on the door if it is then going to be left wide open. The same applies to the IT security infrastructure. It’s all very well protecting data by implementing passwords, for example, but if employees write those passwords down on a post-it note and attach it to their monitor, it’s worse than not having any security there at all. The danger is that technology seduces organizations into a false sense of security.
Money and resources are often spent guarding the company against the ‘elusive hacker’ – the external phantom lurking behind the Internet. What organizations overlook is what is right in front of them – employees. I am not saying that every employee is a suspect, maliciously plotting to gain access to sensitive corporate files. It is the inadvertent mistakes, such as the password on a post-it note scenario, or emailing the wrong document to a customer, that can cause the real damage. According to KPMG’s Global Security Survey, 73 percent of security staff have no formal security qualifications. If this is the case with the security officers, what experience can we expect any employee, from HR to admin, to have?
By educating all employees, both as part of the induction training and on an ongoing basis, to raise awareness, the number of security mistakes can be dramatically reduced. The threat is not just limited to employees. The CEO is often overlooked and can arguably be the biggest internal risk. For example, the CEO is likely to have access to all of his or her organisation’s data. Unfortunately, at the same time, he or she is least likely to appreciate the need for each security control. Worse, the CEO’s PA may assume the ‘role’ of the CEO, inheriting all his or her permissions. This is why all members of the organization need to be privy to the organization’s security processes, from CEO to receptionist.
Ultimately, organizations know the importance of security to protect their assets, but it is the way it is managed that needs reviewing. The introduction of legislation, which attaches personal liability to a breach, is what has made the board take more notice of its security procedures.
In addition, when the risks are presented in business terms, equating directly to revenue loss, the board’s duty to its customers and shareholders means that it has to take greater involvement in making the decisions to build a policy that all employees are alerted to and understand. With this in mind, the previous attitude of “it could never happen to us” needs to be reconsidered. Security cannot continue to consist of risk and technological solutions, it has to become an integral part of the business plan to ensure that a company’s reputation and bank account is not affected by an attack.
Graham Peat is European marketing manager for Rainbow Technologies (www.rainbow.com).