In any organisation, information must circulate freely. But there are concerns to contend with as the amount of information grows. The two most obvious are security and storage. The IT department has multiple means of managing these matters. But it cannot provide guarantees alone. So, why should other parts of the business be worried about data security? What can management do about it?
Data security is often likened to an arms race. As increasingly sophisticated ways of protecting the company’s information assets are developed, so increasingly sophisticated ways of mounting attacks appear, too. Further, the damage done by failures is becoming more severe. Single repositories of data, that organisations form to obtain a single view of their activities, are singularly vulnerable and complex. Further, the Symantec Internet Security Threat Report notes that attackers are moving away from large, multi-purpose attacks against traditional perimeter security devices such as firewalls and routers. Instead, they are focusing their efforts on regional targets, desktops, and web applications that may allow an attacker to capture personal, financial and confidential information.
Some of the more worrying trends have little to do with technology at all. For example, malign forces are shifting their attention to the soft side of the business – its people. The aim is to manipulate staff into consciously or unconsciously leaking information that then leads to a full-scale breach. An employee might be “coached” to pass details on. Or when they leave a company, they might be tempted to do so then. Alternatively, recent research from Microsoft revealed that nearly a quarter of UK employees admit to having illegally accessed sensitive internal information on their employer’s IT systems and over half would do so, given the opportunity.
These are clearly HR and management issues. They are about policy, education and discipline. Remember too that it is only human nature to resist complications in life – of which IT security measures, with passwords and logins, can be some of the most irritating. Employees will circumvent them if possible.
Some aspects of these wider concerns are now commonly discussed, if less commonly stopped. For example, lots of sensitive information sits on laptops. But are employees in the field aware that it can be tapped on open networks? “How good and regular is security awareness training?” adds John Redeyoff, Director of Information Security at NCC Group, a specialist IT security company. “In our experience it is awful or never. The policy sits on a shelf and no-one ever receives training beyond ten minutes on their first day at work.”
“Recent, rather alarming research estimates that over 1 in 3 employees in the UK are unaware of company policy,” Brian Contos, chief security officer at enterprise security specialists ArcSight explains. “In a recent case in the US, an employee working from home, connecting through a VPN, let his son use his laptop on the weekend. While still connected, the son surfed the web and unknowingly picked up a virus. This then spread down the VPN, infecting the corporate network and several servers. An enforced policy on usage of company assets would have prevented this.”
However, even the best policies are not guarantees. And if data security is likened to an arms race, this also means that it cannot conclusively be won. For these reasons, many businesses are opting for “Big Brother” solutions, and watching what staff is doing online. “Since it is impossible to totally prevent unauthorised access by preventative measures, you must assume that unauthorised access can and will take place,” says Dave Martin of the security practice at LogicaCMG. “To counter this, staff must be aware that their actions are being monitored and that action will be taken when they are caught.”
Aware that this is something of a minefield, in the UK, the Information Commissioner has published a guideline about monitoring employees at work. “Any investigation must be justified and proportionate,” Mr Martin explains. “In practice, this means that an organisation cannot ‘go on a fishing trip’ just to see what might be happening.” It is also vital that employees know the extent of the monitoring.
A different but important business concern that revolves around data security is compliance. “Organisations in the UK are bombarded by legislation and regulatory requirements that have an impact on data management,” says Ian Cole, manager of professional security services for internet security systems. Coupled with high profile infringements and tough talk from regulators, this facet of data security has shot up corporate agendas. Researchers Vanson Bourne recently reported that 44 percent of UK IT directors are breaking the Data Protection Act.
Storage is often the critical issue here, with compliance requiring that data is securely retained and retrievable, possibly for years. However, balances must be drawn. On the one hand, there is a temptation to panic and throw money at the problem. “Modern business technology, especially e-mail, has enabled an unprecedented level of duplication and filing ‘anarchy,” says Correy Voo of BT’s business continuity security and governance practice. But on the other hand, the more hard nosed will realise that the technology can cost far more than fines, even when matters such as bad publicity are factored in. “For most organisations there’s no point in spending millions on document management, when the worse fine you could receive runs to tens of thousands,” continues Mr Voo. “Regulators realise that 100 per cent compliance is a very ambitious target. Reasonable and appropriate behaviour is all that they ask for.”
Data security is a factor that must be built into any business scenario where technology plays a part. Security must be budgeted for, not just as an overhead but also as a risk. “Data security is a genuine business concern,” concludes Mike Madison, director in IT security and privacy at Deloitte. “However, many put it as a downside risk, treating it as a negative issue rather than trying to exploit it for business benefit.” For data security can contribute to business success: wherever there are risks, there are also opportunities.