The peril within

Many organisations will currently be considering joining the Internet as a means of extending their 'shop front', or to do e-business. That's if they're not among the tens of thousands who have done it already. Of course, in many cases this is a positive move, designed to make business easier and give greater reach.

Many an IT director, however, will be concerned over security in such a wide-open relationship.

Words such as SSL, PKI, certificates, encryption and firewalls are just a few of the terms relating to security technology available, and will be comforting to most. And that's understandable. Many companies will be putting considerable effort into getting their e-business right. A sensible choice.

But if you are one of these organisations, are you sure that concentrating on one key place has not left you open to the peril within? In short, although the Internet can be a scary place for any organisation, most real security breaches occur from within. If you find this surprising, then let's have a quick look at some of the factors affecting internal and external security. These include control, risk, motivation, knowledge and power.

Control

In any half-decent e-business site, you will have (at the very least) a strictly limited number of functions that a visitor will be able to perform. In addition, you will have a firewall, properly configured and almost certainly with good audit trails. You will use DMZs to protect your core systems from outside penetration. In this sort of system you are probably only at risk from the incorrect configuration of security components or residual flaws in the products.

The main security breaches that a hacker could bring about are: obtaining goods without paying, comprising the confidentiality of other customer's information, changing the contents of your web site to something defamatory, or simply crashing it.

The controls you will have in place will largely avoid these risks. We have seen attempts to blackmail organisations once their security has, allegedly, been broken, but these examples are few and far between.

On the other hand, an internal member of staff will probably be able to access your core systems without passing through anything like these types of control mechanisms. Crashing the database that runs sales could be a piece of cake if someone can just flood the network with garbage communications. I've already seen at least two companies almost brought to their knees by an unlucky (or should we say uncontrolled?) combination of poor network design, over-keen staff and director level instructions flying in the face of reality.

And, of course, someone suitably motivated within your staff could probably add to this mayhem.

An internal member of staff will probably be able to access your core systems without passing anything like these types of control mechanisms

The jury is still out as to why one e-business was selling £300 TVs for £3, but one potential reason is somebody innocently changing the web page or underlying database without due checks and controls being applied. If you have staff who can offer deals and do the reconciliation (or other checking), then you may as well give up on security (in the broadest sense) right now.

Risk

Risk comes in many forms, but the riskier environments have one or more factors in common. In general, the absence of a security policy is a bad thing. Without it, you are not giving staff a clear message - and you might also be badly placed for disciplinary measures. So my advice would be - get a security policy. Then back it up with active security management.

A reliance on a single security measure is also asking for trouble. Someone will always work around it 'to get the job done'. Especially bad are those businesses that rely only on an enforcer 'shouting security' at the staff. This only works on the honest staff (who you don't need to worry too much about anyway), and gives signals to the 'bad apples' that they can really do whatever they like.

So, have a range of mutually supporting controls: a security policy, passwords, access controls, audit and monitoring, virus defences - then add the man or woman to do the shouting.

Finally, carry out a periodic risk assessment, and review staff morale with human resources at the same time.

Motivation

Motivation of staff is a key factor in ensuring security. Generally the happier the staff, the less risk. In times of great change staff generally become unsettled and may attack the business. So it stands to reason that in periods of downsizing there is a greater risk. You may also have a problem around pay-review times when Fred is paid more then Bill – because Bill just might take it out on you.

By way of illustration, one company I know was acquired by another. Jobs were on the line, so one unidentified individual managed to copy the sale contacts list in the dead of night, and take it on to their next position. Other factors included a flat denial by the management that the sales list existed at all (when everyone in fact knew that it did), that it was loaded on the only PC in the sales and marketing department, and that the PC had no logical security controls at all (e.g. passwords).

Knowing what assets you have adn the risks that you are prepared to run in day to day business are key elements in the management armoury

Two other wild cards are worth considering. If you are a highly attractive business to break into (which should be flagged up by the risk assessment) then you might have someone employed who is in fact placed by a competitor (or himself) to do damage. Newspapers and enthusiastic journalists have been known to do exactly this type of thing to get a story.

Finally, if you have an R&D department (AKA 'the Boffins'), you may well have the keen staff who might just break security for the hell of it – just because they can. They will need special care and attention because, although in many cases their motives will be innocent, the consequences could be serious.

What's more, you may well pay them to bring in new ideas – so clamping them down under tight security could be entirely negative. There is a case to say that if a couple of people at Microsoft had not got to know about each other's work in an 'unplanned' manner, then Windows may never have happened.

Knowledge

Knowing what assets you have and the risks that you are prepared to run in day-to-day business are key elements in the management armoury. The example above (where management denied the existence of a combined sales list) shows exactly what can happen. Trying to hide assets is, on its own, a very weak defence. Not advertising key resources, and then adding other strong security measures, is much better.

Technology can have unforeseen consequences. For example, the network and sharing facilities of Windows are a real boon when you want all the members of a team to have access to the same information. Sadly, though, most people don't think it through and mount the shares onto the network in a haphazard way, without any further thought or access controls.

I've lost count of the number of confidential management documents I have found (when doing security reviews, I should add!) on uncontrolled shares. Picture finding the entire takeover strategy for target company B on company A's network. Unlike you, I don't have to imagine – I've already found it! The lesson is to factor in the 'roundabouts' to technology's 'swings', and make it all part of your regular risk assessment.

Power

Remember, the most potentially dangerous person in an organisation is also the most powerful - the senior manager or director. If anyone has the power to by-pass controls through social engineering it is probably these people. They may also be most at risk in downsizing moves, and so could be the most motivated.