IT: really part of the family?

DURING THE COURSE OF MY WORK AUDITING companies’ IT security procedures, I’m often struck by just how much those procedures are isolated from other aspects of the organisations’ security activities. Generally speaking, the security or facilities manager has little involvement with IT security. They may liaise with the IT department but do so relatively infrequently, for example to discuss how the security network impacts on the operation of access control and other electronic technology.

The security of data is usually handled by the IT department. However, it’s often the case that there’s no IT or technical director to facilitate the development of any strategic approach. There has been a trend towards paring down IT departments in recent years, so there may only be a couple of in-house staff in operation. As a result, much of the work is carried out by contracted personnel.

There’s nothing wrong with that set-up per se, but clearly such an operational strategy can lead to a lack of continuity. Contractors who are destined to be in situ only for a few months may not possess a detailed knowledge of the host organisation’s IT policy or, not feeling a particularly strong commitment to the company, may be inclined to just do things their own way. Effective supervision is needed to ensure that everyone works in tandem, moving in the right direction, whether they’re permanent or contract staff.

It’s not uncommon for organisations to develop a strong interest in IT security only once the system has actually been compromised. In this situation, companies may completely hand over responsibility for finding the solution to an IT consultant. This may not provide a total answer in terms of ensuring effective practice on an ongoing basis with full commitment from relevant personnel.

IT security: Best Practice

There needs to be a comprehensive IT security policy covering areas such as contingency planning, frequency and method of system back-up, anti-virus systems, staff use of e-mail and web sites, testing of procedures – and an eye trained on IT developments at all times.

When asked to detail what IT security involves, most people would think of measures such as encryption and firewalls. However, it’s important to consider the people issues as well as the technical aspects. For example, if company policy dictates that all personal e-mails are forbidden or if staff aren’t permitted to visit certain types of web site, this needs to be expressed very clearly to them, preferably in writing within their own Terms of Employment.

There should also be effective systems for informing staff about virus threats and ‘scams’ with which they may be targeted from outside the organisation.

Very often, however, there’s a greater likelihood of the system being compromised internally than by external attacks. Organisations need to consider how they are going to tackle this without unreasonably infringing individuals’ privacy. Commonly, they will monitor e-mails periodically or perhaps continuously, using software that enables the system to check for key words which could range from profanities to terms that suggest a reference to sensitive business matters (for example ‘tenders’, ‘accounts’ or ‘profits’).

These key words need to be selected very carefully to avoid a situation where an extremely high proportion of e-mails are being tagged, as this will be impractical to monitor and overly intrusive. It’s also probably not a good idea to have a contractor undertaking this monitoring process, as there’s a risk that a long term allegiance to the organisation will affect the degree of priority that they give to this role.

Increasingly, corporate organisations don’t feel that the detection and deterrent value of this type of monitoring activity is sufficient. They are therefore undertaking more stringent staff vetting during the recruitment process on individuals who, in the course of their duties, may have access to sensitive information.

The security of data is usually handled by the IT department. However, it’s often the case that there’s no IT or technical director to facilitate the development of any strategic approach

Those responsible for IT security should adopt a systematic method of keeping up-to-date with new virus threats, security loopholes or hacking methods, as well as using the latest technology for defending systems from such attacks. However, they also need to be aware of the way that other technological advances can pose additional threats for the IT network.

Wireless options, for example, allow laptops to be moved about freely while maintaining Internet access but, if not configured correctly, are far less secure than traditional cable connections. There have also been well-publicised incidents associated with the Bluetooth wireless technology, commonly used by mobile phone companies.

In addition, it needs to be remembered that today’s third generation mobile phones are themselves much more like computers, with functions including the updating and downloading of software, video messaging and conferencing and access to various e-mailing functions and/or the Internet.

There are, therefore, two types of risk to be considered: either the potential for an unauthorised individual to gain direct access to an organisation’s IT network via a mobile telephone, or viewing information on a mobile that, in days past, would only have been available on the company’s internal computer system. Once again, technological defences cannot offer a complete answer. Effective communication with staff using the equipment is essential, so that they are aware of the risks and what they need to do to minimise them.

Presence on the Board

What changes need to occur, then, before IT security practice across the UK can significantly improve? Critically, there needs to be someone at Board level within a given organisation who is willing and able to champion it.

Those responsible for day-to-day operations should see security as a meaningful function in its own right, not just as part of a whole raft of IT activities. And they should see it as involving a range of management responsibilities, rather than just technical solutions, and as an integrated part of overall organisational security objectives and practices.

Day-to-day information technology specialists and operatives must also see themselves as part of the security family. The Security Institute is actively seeking to promote this objective, and to encourage more IT personnel to become Institute members.

After all, closer links between specialists and broader security generalists can only serve to enhance everybody’s knowledge and level of preparedness. In truth, that should be the long term aim for us all.