Security policies – the constantly moving goalposts

Far from being the ‘nice to have’ it was once thought to be, IT security has finally reached the level where it is viewed as an essential consideration for businesses today.

Along with word processing software and email systems, the vast majority of businesses at least use username and passwords to authenticate users, as well as tools such as anti-virus software.

Many companies have taken this further to incorporate firewalls, intrusion detection software, encryption, PKI, or even biometrics where users log in with a fingerprint or retina scan, for example. They might even know how important a centralized security policy is, and have one in place stating that anti-virus software must be updated regularly, nobody must write down their passwords and users must not download software from the internet.

IT departments know what is happening on the network and feel confident that they are in control of their systems and users and can keep prying eyes out.

Good or bad?

It is true that to keep your private business information in and the 'bad guys' out a robust security policy must be at the heart of every organization. However, without proper enforcement even the best-laid security plans can all too easily go to waste. If your security policy hasn't actually been updated for the last 18 months, it is as good as useless. In fact, having a security policy that is ignored or out of date can often be worse than not having one at all. Knowing that there is a security policy often makes management and users complacent because they assume all bases are covered, which is a dangerous situation to be in if in fact nobody has really thought about security in the past six months.

Security is only ever as good as the weakest link – there is no point having locks on every door and bars on every window in your house if you then go out and leave the back door wide open. The fact that the front door was locked and bolted will be little compensation when you are faced with a burglary.

Security policies must be reviewed on a very regular basis by a special dedicated team to ensure that they are up to date, relevant and address all possible areas of risk. They must be comprehensive and definitive and, more importantly, they have to actually be implemented and monitored. There is no point having a policy if nobody even knows what it contains, let alone sticks to the guidelines.

The forgotten element

When defining their security policies, more often than not companies only focus on threats within the building or the risk of malicious external attacks. To this end they may have a comprehensive password policy demanding that users change their passwords on a regular basis, as well as employing anti-virus software, firewalls and intrusion detection solutions to keep the company safe. This will probably sound familiar to a lot of readers who are nodding and thinking, 'yes, we do that'. But this doesn't address every weak spot.

The problem is that many companies have rushed into rolling out wireless devices without giving security the consideration that it demands. More and more companies are allowing remote workers to log in from home using laptops or letting the sales team hook up their own PDAs to the corporate network without realizing that every time they do this they are effectively punching a hole in their security infrastructure.

These employees are putting the company at risk from a security breach without even realizing it. Mobile working has undoubtedly brought flexibility and convenience into working life, but unsecured and not covered by the corporate security policy, the unwitting use of 'rogue' devices by employees opens up yet another backdoor to the organization's infrastructure.

Laptops and PDAs - the weakest link?

Despite the fact that laptops and PDAs are becoming more and more prevalent, organizations often simply consider their security as an afterthought. Laptop and PDA security can be implemented quickly and easily, yet it often gets ignored until the device is stolen or has infected the system with a virus.

Very often the value of the actual information stored on the laptop or PDA will exceed the value of the hardware itself. This being the case, businesses must install security measures as standard, such as boot protection, pre-boot user authentication and hard disk encryption, in order to make unauthorized access impossible. They must also have anti-virus software that is updated every time they connect to the network to protect the company's resources from viruses such as the infamous LoveBug, which crashed networks by the thousands.

It needs to be a key element of the security policy that no mobile device without adequate security standards can be connected to the network or used to store company information of any sort.

Another problem with PDAs is the fact that they are often connected to networked PCs without the knowledge of the IT department, and many totally unsecured devices are used to contain vital business information, such as customer contact lists or R&D information. In addition, the size of PDAs makes them even more vulnerable to loss or theft than laptops.

You can't stop laptop or PDA theft occurring and you certainly can't guard against employees leaving them in the back of taxis or in the pub – you just have to read the tabloids to see that. However, it is comparatively easy to stop unauthorized people gaining access to those devices once they have come by them.

Businesses need to incorporate laptops and PDAs into their security policies and make sure that every mobile working device used for company business is secured so that the information stored on it is absolutely safe at all times, no matter who gets their hands on it.

From paper to reality

It is all very well and good having written policies and ensuring that your users are aware of them, but the IT department needs to take ownership of actually implementing the policies across the organization.

There are numerous different ways to manage policies to ensure that the network is protected at all times. There are tools available for device blocking that manage which devices can be used by which users, for example not allowing the use of CD writers, which could enable a disgruntled employee to download the entire customer database and remove it from the building. Equally, policies of this type would enable the IT department to disable CD writers on laptops for example, so even when the laptop isn't connected to the network, use of the unauthorized device is restricted.

The IT department can also implement policies that are very tightly defined in terms of rights for applications, types of file and individual users. This would enable them to restrict exactly what certain users can do depending on who they are. You would, for example, be able to stop employee A running excel files containing macros, whereas user B can run any excel files at all.

Policies can be rolled out to manage virtually any threat, from users connecting unauthorized devices to the USB port, to only enabling PDAs to be synchronized with networked PCs rather than home PCs, or even demanding that any memory sticks used as a backup must be encrypted. They could even be used to control what the user 'fiddles' with, such as the configuration files, therefore reducing IT support calls. It is just up to the IT department to ensure that they are successfully implementing policies across their organization that not only make sense, but that do not restrict the day-to-day business processes.

No excuses

There simply is no excuse for poor standards of security. It is relatively easy to implement security policies that can be managed automatically and centrally, so whenever updates or changes need to be made these can be rolled out across the network, even to laptops and PDAs, ensuring that the company infrastructure and all devices are always as protected as they possibly can be. Users need to be educated to the risks involved and the steps they need to take, and more importantly the organizations' IT security needs to be reviewed and updated on a regular and ongoing basis.

Organizations need to take control themselves, know exactly what is being connected to the network and make sure it is protected adequately from any security threat from viruses to unauthorized access. Otherwise they must face the consequences of security breaches that ensue.

Jackie Groves is U.K. managing director of Utimaco Safeware AG

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.