Who cares if British Gas customers can see each other’s invoice details?
Well I suppose the people concerned probably do, but the seriousness in terms of financial loss is, er, ... zero. Security has always been important in all walks of life, but it's taken the internet to bring the issue to some people's attention in terms of how computers and networks are used and abused, and the need for protection.
Privacy is one thing and it has certainly heated a few collars recently and given a springboard for lots of 'internet security' products to stake their claim on a potentially massive but still gullible market. Many internet users are still novices, and while many are seduced by the trend-setting and dynamism of the internet, the majority of users in general have no real understanding of the security issues involved, less still how to implement them.
Even business owners and stakeholders who actually carry the can for 'security' (whether they realize this or not) often do not understand what is needed. To know what to do, the risks have to be understood. In computer terms, this does require some degree of knowledge about the technology being used - at this point, another few heads bury themselves in the nearest bucket of sand, probably still there in the corner of the office as a remnant of the company's outdated fire policy. Law firms, accountants and most financial institutions have carefully, and probably expensively, worded legally correct and compliant disclaimers on their emails and sometimes even the acknowledgements they send automatically. But amazingly, the people who send emails are often unaccountable when it comes to the access they have to the information they can send, the content they use and the recipients of the information they are sending. A case of damage limitation instead of damage prevention surely?
Financial loss and fraud is a far more serious issue than that of privacy. OK, that's subjective but commercially it is true. Privacy is generally a fashionable issue. It may not be headline making, though, but the truth is that the most significant threats in the context of computer network security are inside an organization's firewall.
Trusted employees in general - can't be. Everyone should be accountable, whoever they are and whatever they do.
Auditors now expect organizations to be able to track who has been on the network, when they were on, what they did, when they did it, where they did it. The pressure is on IT security officers (do you know who yours is?) to be able to comply with their company's security policy and meet their auditor's requirements.
While there are software tools available that help, a culture change should be the first item on the agenda, which probably explains why it is so difficult. A good example is the use of passwords. Everyone uses them and probably everyone has abused them. Passwords are still a very effective, low cost, easy to deploy method of authentication but not if users still insist on writing down a variety of their passwords on Post-its stuck to their desks or monitors - the really security conscious users at least hide the Post-its in a drawer!
If you strengthen your authentication process your network is more secure - it's that simple. Once you are more sure of who is on the network, then it is possible to focus on monitoring for inappropriate or exception type activity amongst your 'trusted users.' The most trusted are typically system administrators and IT consultants/analysts. This is out of necessity rather than choice and is a often an area hard to reconcile with a company's security policy. Auditors would love to be able to hold this unruly bunch to account and re-establish themselves as the rightful custodians of their organization's electronic assets ... in the good old days before computers, wasn't life a lot easier?
Mark Altman is managing director of Altman Technologies Ltd (www.altman.co.uk).
Altman Technologies Ltd is exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29 - May 1, 2003. www.infosec.co.uk