With the internet and mobile working playing an increasingly important roles in business, connecting to internal systems is becoming far easier.
But that fact rings true for society’s more malicious elements as well as trustworthy staff members, partners and suppliers.
More than ever, security is now about keeping information safe while allowing maximum flexibility for employees. So how do you strike the right balance?
Of course, the answer depends on the company concerned – but there are universal dos and don’ts that govern all companies. So before looking at how it should work, it pays to examine how it should not be done.
1. The Road Block (or ‘all eggs in one basket’)
Over-reliance on one or two areas, to the detriment of others, is a security crime that will inevitably be punished. For example, many companies (particularly SMEs) still put too much faith in the firewall alone to shut out attacks, or focus too heavily on virus protection because it’s where they see themselves as most vulnerable.
There are a number of access points in any network for hackers, so this is effectively forming a roadblock on the main route in, but leaving the other routes without any form of policing. It is also ineffective against insider issues.
2. The Reactionary (or ‘shutting the gate once the horse has bolted’)
Intrusion detection is highly effective, but it should be thought of as a burglar alarm. No business would just install a siren but fail to put bolts on the doors, install CCTV, etc.
However, where the network is concerned, many of the businesses we’ve looked at have an over-reliance on this form of security. Of course, it’s crucial to be alerted when a breach takes place but dependence on this technology leaves important data open to both internal and external threats.
3. The Patchwork Quilt (or ‘divide and fall’)
Myth: if you buy the best security products on the market then you’re less likely to suffer a security breach.
The fact is you can do as much as you like, but if you don’t tie the disparate elements into an overall strategy you inevitably leave gaps, as well as an immense management headache.
4. The Plate Spinner (or ‘too much to manage’)
But even joining everything up isn’t a guarantee of security if you’re blind (or blinkered) to what is going on. The key to effective security is vision – the ability to monitor all areas simultaneously, as well as set up alerts to irregular activity that your eyes may miss.
Without a centralized management system, it’s like spinning plates; you get on top of a couple of areas, but need to keep rushing back and forth between others in the hope that you can catch them before anything serious happens.
5. The Agoraphobic (or ‘too paranoid about what’s outside’)
Fear of external threats is understandable, but that’s no reason to put all your effort into fending off the wolf at your door. It’s a fact that, just as most accidents happen in the home, by far the majority of security breaches are committed by internal users or former staff with a grudge/something to gain. In this scenario, privilege and password administration is crucial.
A recent Meta report highlighted that, during the lifecycle of an employee, he or she has 17 user Ids. But, when employees leave, only eleven user IDs are ever deleted. These oversights are potentially damaging to organizations, yet they still persist in relegating them to an afterthought.
6. The Placebo (or ‘do a bit to make me feel better’)
Token efforts don’t make for good security strategies. While the CEO may not understand the intricacies of PKI or single sign-on, it’s the job of IT to flag up why investment is so important.
Just putting in a few point solutions for greater peace of mind or to preserve budget for ‘more strategic’ projects doesn’t work. Security should be done thoroughly or investment is wasted.
How it should be done
So, how do you avoid the scenarios above?
Put a policy in place. Independent research from the DTI shows that 44 percent of companies have suffered a malicious security breach, but only 27 percent have a documented security policy in place. Commit rules, advice and guidelines to paper so everybody knows where they stand, for example. with the opening of email attachments or access to certain areas of internal systems.
Move with the times. Policies must evolve in line with progress, threats and strategic thought. One written five years ago (or even one year ago) would have little relevance to business today, so if it’s static it will be found out. You also need to keep up to date on the latest vulnerabilities that have been discovered and be sure that you have taken appropriate steps to close them off.
Check on policy implementation. It’s no good having a policy or buying security software if it is not implemented. You need to continuously check that the software you bought is installed and operating correctly, and that the policies you set are being followed. It helps if you can automate these checks.
Back up your defenses. Prevention is better than a cure. Any security strategy must be carried out in layers, with solutions used to complement others. For example, intrusion detection is a good backup for the firewall, in case anybody is able to breach that level (as inevitably they will if they try hard enough).
Look at who’s in control. The administrator account on Windows and root on Unix have wide-ranging powers that can be abused. It is important to severely restrict access to these accounts and to limit the scope of individual administrators, so safeguarding your systems from internal abuse.
Take a joined-up approach. Bear in mind issues such as compatibility when selecting solutions, and be sure to integrate them into the overall strategy and environment.
Be omniscient. Overlay this with an advanced management system, comprising proactive analysis and reactive alerts. Portals are extremely effective in this area, allowing simultaneous and interactive monitoring, analysis and alerts all via a single interface. Platform independence also means that they can be deployed quickly and effectively without the need for widespread integration.
Watch your back. Don’t forget that security is as much about what’s leaving the company as who’s coming in. Ensure that you have internal authorization and barriers in place as well as external defenses.
Cut out the mistakes. Don’t let down your good work by falling foul of admin overload. Implement a single sign-on policy across the enterprise to ensure that changes, deletions and additions can be carried out instantly and regularly.
Learn from breaches. Make sure that you have audit trails in place internally and are able to carry out some form of internal forensics. Inevitably (even with the best security money can buy) there will be the odd breach, but learn from this. Find out what happened, how and why, and move to ensure that similar breaches don’t occur in future.
Don’t go overboard. Don’t compromise users’ ability to carry out their jobs by making security too tight. The whole aim of security is that it should be transparent, only kicking in when required. There’s always a trade-off with usability, but nobody will thank you if they have to input passwords every ten minutes or can’t access the data they need.
Mike Small is vice president of eTrust R&D at Computer Associates (www.ca.com)