Despite all the warning signs, many businesses are still failing to take cyber security seriously, says Neil Hodge
While surveys from the likes of professional services firms such as KPMG and PricewaterhouseCoopers have indicated that employee fraud is set to rise this year as a result of the credit crunch and workplace dissatisfaction (largely due to salaries being frozen or reduced, bonuses being cut, and heavier workloads), most IT professionals believe that the main risks to cyber security stem from lax internal security protocols and opportunistic attacks from outside the organisation. Indeed, several recent high-profile data lapses have arisen due to laptops and USB pens being left in public places and unencrypted compact disks being lost in the post.
‘Organisations and their risk officers need to realise that breaches and data leakages are not always of malicious intent,’ says Mike Gillespie, director of information assurance at IT consultancy Advent IM. ‘The most detrimental cases can be caused accidentally where an employee fails to follow due process or is unaware of the process: for example, working remotely and leaving a valuable memory stick on the train.’
David Porter, head of security and risk at Detica, the information intelligence specialists, says that one of the key causes for IT security breaches is that people simply do not regard data as valuable, or fail to see the potential importance to a third party of the information they are working on. ‘Traditional business records are now increasingly managed by computer technicians and end users for whom the term “record” has no strong meaning other than “a collection of data” or “a file on my hard disk”,’ he says.
There are plenty of IT solutions on the market that can help make an organisation’s IT systems and data more secure, ranging from the basic (and cheap) products such as anti-virus and anti-spam software, storage back-up systems, content filtering, data encryption, password and ID protection, to the more sophisticated (and expensive), such as biometric technology verification processes, including fingerprinting, iris scanning, facial matching and vascular technology. While organisations should ensure that all highly sensitive data is encrypted (at the very least), introducing other simple measures – such as user profiling, segregating the network and implementing password protection – can ensure data is accessed only by those who have proper authorisation.
Tony Caine, European vice president of Borderware, an IT security software provider, says that the amount of data that is leaked due to poor encryption protocol is astounding. ‘There is no reason why any organisation should ignore encrypting data, especially if they regularly transfer data either via email or on a storage device. Data leakage through email can be avoided if the data is automatically encrypted upon exit from the main server. All IT managers should ensure that their data security measures include adequate encryption software.’
Ori Eisen, founder and chief innovations officer at 41st Parameter, which produces fraud detection solutions, says that firewalls, password protection and encryption mechanisms are effective ways of making data inaccessible to unauthorised individuals, but they can all be rendered useless if staff are not trained in how to detect whether people have authorisation. ‘Many untrained employees will, virtually without question, reset a password to help resolve a fictitious problem for someone posing as a colleague. Employees who have overview of system access are one of the most important barriers that a company has,’ says Eisen.
‘In addition, employees who use their home networks to download software could be putting their company’s data integrity at risk. If they connect a company laptop to their home network, hackers have an avenue into the company’s network that can be easily exploited.’
Eisen says that the problem with many of these more conceptual approaches is that employees find it hard to think like a fraudster. ‘It is key, however, that they are made aware of the level of certain threats, and understand the mechanisms commonly used by fraudsters and phishers. With a little training, these employees can improve their effectiveness in creating an additional layer to maintain the integrity of customer and corporate data.’
Shaun Cooper, media and technology underwriter at Pembroke, a Lloyds’ syndicate, says that organisations should also implement best practice guidance or industry-accepted standards on securing their IT systems, such as ISO 27001. However, like purchasing technology, organisations believe that the associated costs of following best practice can be too high, particularly in the current economic climate. Neil O'Connor, principal consultant at independent security consultancy Activity, says that according to his research, one third of respondents who have considered, but not implemented, an information security management system such as ISO 27001, thought the cost of doing so would be prohibitive. As a result, a lot of organisations may not be adequately protected.
The popularity of social network sites can also create a number of cyber security issues. Company employees are engaging with social networking sites and other web 2.0 phenomena as part of their day to day work. However, these sites are becoming breeding grounds for the scourges of cyberspace – spammers, phishers and other cyber criminals. Caine says that these services present so many different ways for staff to communicate, which means the opportunities for cybercriminals to jump-in and steal people’s data – or worse – are innumerable.
A recent Sophos poll revealed that 63% of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure – and the sensitive data stored on it – at risk. The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace. A typical method of attack is for hackers to compromise accounts by stealing usernames and passwords – often using phishing or spyware – and then use this profile to send spam or malicious links to the victims' online friends and colleagues. Sophos research reveals that one third of respondents have been spammed on social networking sites, while almost one quarter (21%) have been the victim of targeted phishing or malware attacks.
Neil Fisher, vice president of global security solutions at software company Unisys, says that an organisation’s senior management needs to set the tone for how the rest of the workforce is supposed to regard data and cyber security. ‘Information has value,’ says Fisher. ‘Criminals have known that for some time and intuitively the general public do too, yet business and government apparently do not and that is unacceptable. There is an urgent need for information to be formally registered on executive board risk registers and closely monitored by audit committees and, in particular, non-executive directors.’
Responsibility for an organisation’s data must be clear and accountable. The Information Assurance Advisory Council, an organisation dedicated to providing IT security guidance and best practice, produced a comprehensive guide to managing information risk which argued that non-executive directors in the public and private sector should now be held accountable for data management along with other senior officials, such as senior information risk officers (SIROs).
A recent survey by web security firm Websense revealed that security professionals unanimously believe that businesses exposing consumers’ confidential data through a serious data breach should be punished for security negligence. Nearly a third (30%) thinks that CEOs and board members should face imprisonment; 62% believe companies should be fined; 68% call for compensation for consumers affected. The survey also reveals that little improvement has been made with regard to organisations’ approach to security with more than 50% of respondents suggesting this is due to businesses not taking action as they are not legally required to do so.
A lot of IT experts champion the role of the SIRO. Gillespie says that this kind of staff member can address information risks rather than IT risks, which often mistakenly fall under the same umbrella. ‘Information risk can include anything from missing documents to ineffective personnel. By having this member of staff feeding into the senior board team, it will ensure that this very important issue is pushed up onto the management agenda. If you put security in the hands of a “techie” then you are more than likely to be provided with “techie” security solutions.’
Paul Judd, regional director of Fortinet, an IT security software provider, says that ‘with continued speculation that US-style laws will soon be introduced to the UK, making it compulsory for companies to publicly disclose any instances of data breaches, businesses may well be forced to suffer the humiliation of publicising their own weaknesses. While this shouldn’t be the only driver, it is clear that businesses need to take action and prepare for the unexpected before it’s too late.’
Postscript
Neil Hodge is a freelance writer