The Internet is a dangerous place. Hidden in the IP ‘cloud' surrounding modern IT infrastructures is a legion of spammers, hackers, crackers, cyber-terrorists, phishers, pharmers and assorted other criminals. Their mission: to crack corporate IT security and play havoc with mission-critical systems and data. However, these external threats are often the least of an IT security manager's problems.
Despite the understandable concern that all companies have about the threat posed by external IT security exploits, most IT security breaches can still be traced to internal points of weakness.
Between 2001 and 2003, according to PricewaterhouseCoopers' UK Security Breaches Report, 70% of major UK companies suffered breaches that were traced back to staff misuse of information systems. Fewer than 40% of recorded breaches, by contrast, involved unauthorised access by outsiders.
While the most common form of corporate security breach – virus or malware infection – originate from outside the corporate firewall, in order to be effective, the bulk of them need a helping hand to find their way inside. Typically, that assistance comes from an unwitting employee who carelessly opens an infected spam mail, or returns to the office with a USB memory stick that was recently connected to the contagious world of a home-based PC.
A look at current spending patterns reveals that, time and time again, companies underestimate the importance of effective security policies and employee guidelines. According to a recent survey of Information Age readers, 70% of UK companies have increased their IT security budgets in the past 12 months, but the bulk of expenditure continues to focus on hardware and software products intended to keep security threats out. By comparison, just 10% is spent on developing and managing the internal processes that are needed to make these defences effective.
It is little wonder then that the same survey revealed that only 8.5% of those users surveyed believe themselves to be fully prepared to withstand a security breach.
The Phear Phactor
Nothing underlines the importance of a strong and informed IT security-aware culture so much as the rising incidence of ‘phishing' emails.
This relatively recent Internet-based security exploit is a development of criminal spamming activities. It uses counterfeit emails, usually masquerading as messages from trusted household-name brands, to trick users into revealing confidential information about themselves or their employer – such as private account numbers and passwords.
The threat posed by a well-executed phishing attack should not be underestimated. Although most attacks are targeted at private individuals, phishers have also disguised themselves as help desk operatives and requested that corporate users reply with log-in details and passwords
The extent to which such attacks are likely to succeed depends almost entirely on how aware end users are of the threat. A recent survey conducted by Infosecurity Europe revealed that 92% of consumers were willing to reveal confidential private information simply to receive free theatre tickets. There is no reason to believe that naïve corporate end users would prove to be any less gullible.
Clearly, an investment in corporate IT security awareness is becoming more and more necessary.
Certainly, companies that have not woken up to the internal nature of the threats facing their IT security integrity are very far from being prepared. Analysts such as Gartner, and Forrester Research have long bemoaned the ‘Fort Knox' or ‘moat and castle' syndrome that characterises so many corporate IT strategies: a naïve belief that the root of IT peace of mind is strong perimeter defence.
In reality, while such perimeter defences are clearly essential, they are by no means a panacea. As the PwC report points out, "Human error rather than flawed technology is the root cause of most security breaches." The root of most human error, say PwC consultants and others, is a lack of an IT security-aware culture that permeates too many companies.
Organisations without that kind of security-aware culture are not difficult to spot. A casual walk through any office – which may be, in itself, evidence of a lax physical security policy – can reveal a lot: monitors adorned with Post-It notes detailing systems passwords; amusing screensavers thoughtfully provided for free by spyware authors; USB ports clogged with pocket-sized storage devices with enough capacity to copy an entire desktop hard drive.
Such potentially disastrous practices are symptomatic of companies where IT security policies, if they exist at all, have failed to permeate beyond the IT department.
A telling feature of the Information Age reader survey is the broad disagreement over who should ultimately be responsible for safeguarding data and IT assets. According to the survey, 48% of companies see IT security as primarily a business problem that ought to be policed by business executives, whereas 33% see the problem as primarily a technical issue that, presumably, is best left to IT professionals. Another 10% of respondents believe that the lead role should be taken by the human resources department.
In fact, all three groups have an important role to play in engendering a corporate IT security culture. Business executives must take responsibility for defining the essential core of this awareness, and the policies that enshrine it; IT must then provide the technical infrastructure and expertise to make it practical; and HR must ensure the individual employee's security responsibilities are an explicit part of their contract of employment and are supported by appropriate training.
Of course, individual organisations must devise IT security policies that suit their specific needs, but the foundations of good, human-oriented security practice should be common to all companies. In the UK, these foundations can be found within the BS 7799 standard covering information security management, and the Standard of Good Practice published by the user-driven Information Security Forum (ISF).
Between them, BS 7799 and the ISF's Standard of Good Practice should enable any company to devise a comprehensive framework within which to shape their IT security policies.
However, such policies don't spontaneously produce effective, IT security-aware practices. As Gartner analyst Rich Mogull points out, "[IT security] culture will always develop on its own in a vacuum – [but] you may not like the results."