What you cannot enforce, do not command

Send to friend

The man credited with the headline quotation was not a high flying business guru, he was not an analyst or even a highly paid management consult. He was Sophocles, a Greek tragic dramatist and he was born in 496 BC. Some 2500 years later as businesses battle with trojans, viruses and identity theft, his words still ring true. Many companies hit by Slammer, NetSky and Blaster wormsand any of last year's main viruseslearned the hard way about what worked when it came to their security defences. According to the latest DTI information security surveys, 74 per cent of all UK businesses have suffered a security breach with each one costing companies an average of 7000 to 14,000. Amongst the hardest hit were the smaller companies without the resourcesmanpower, financially and technicallyto devote to adequately protecting their systems. And with the widespread adoption of always on/broadband connections within small businesses, the problem is set to worsen.

In a recent report Always On, Always Vulnerable, the Yankee Group showed that only 45 per cent of small businesses20 to 99 employeeshad purchased security services, and alarmingly this figure fell to 20 per cent for companies with between 2 and 19 employees.

there is no real value in designing security policies and investing in protective technologiesif you can't ensure that they're enforced at all times.

Most organisations are aware of the issues surrounding internet and eCommerce, after all 87 per cent of UK businesses are now dependant on IT in some form, and many will admit to having some form of security policy in place and yet the bare facts suggest they are not working. Designing and implementing a security policy is the easy bit.

The stark lessons from last year highlight that there is no real value in designing security policies and investing in protective technologiesif you can't ensure that they're enforced at all times. To do this, three things need to happen. The first task is to determine the actual policies that the business requires to function, both securely and operationally, the second is to obtain the buy in from those affected by those policies, and the third is to effectively enforce the policy on a day to day basis.

business leaders must be seen to actively be involved in the process rather than simply demanding it of their employees as a requirement.

Apart from the deployment of the physical elements of security, for example, firewalls, anti virus, web filtering, etc, a major must is the education of employees. It is misleading to suggest that all Internet security issues arise because of technology vulnerabilities. Many breaches (over 70 per cent, according to Gartner) originate from staff within the organisation.

To get employees to agree with polices and support them through their actions, business leaders must be seen to actively be involved in the process rather than simply demanding it of their employees as a requirement. An Acceptable Use policy should be devised which clearly explains what employees must do and what they should not do when using the companys systems. This involvement will ultimately result in a culture which accepts info security into the overall organisational bloodstream.

Once an Acceptable Usage policy is in place that is logical, acceptable, easily understood and can be modified effectively, the organisation can then seek to find technical solutions to enforce it.

The security policy must stack up with the business overall objectives, for example, what are the key risks to the organisationnot the imagined, not the nice to havebut the real risks and what tools are available to ensure that end users are reminded of their responsibilities under the terms of the policy. The late Indian Prime Minister and orator, Jawaharlal Nehru, once stated that The policy of being too cautious is the greatest risk of all and whilst he might not have been specifically referring to security policy, his sentiments still apply. For example a virus is a real risk to an organisation but is the use of the Google tool bar as big a risk? Quite simply, many organisations resort to "management by vulnerability as opposed to management by policy.

Allied to risk is the issue of trust. A stand alone blanket policy designed to prevent everything and anything will fail; it will be circumvented and most harmful of all it will create an environment where employees do not feel trusted. Once an Acceptable Usage policy is in place that is logical, acceptable, easily understood and can be modified effectively, the organisation can then seek to find technical solutions to enforce it.

End point security is now considered the new frontier for the business and end point solutions should be considered by IT resellers.

The selection of the tools to enforce the policy is the final challenge. With the rise in mobile working the perimeter has changed and has become more fluid. Mandating and enforcing policy across a wide and disperse user base is causing no end of heartache.

Consideration must now be given to a total security system by realising that end points, laptops, computers etc, are core network components. An end point solution enables the organisation to take the policy and apply it at an individual level whilst focusing and protecting the network as a single unified whole.

The end point solution can provide the ideal combination of effective compliance tools with individual policy. Without the blending of both, an organisations policies will never be totally effective. End point security is now considered the new frontier for the business and end point solutions should be considered by IT resellers. The security industry is responding with multiple layers of products because of the inability of single product solutions to secure against all threats. This market is being attacked from traditional networking vendors, security vendors, and broadband service providers. Currently, security products for both business and residential use tend to be purchased online and at retailers, but analysts at In-Stat/MDR predict that businesses are likely to acquire security products through value-added resellers and that the service provider channel will pick up steam as a suppliera market valued at $3.7 billion by 2008.

Organisations now have a choice, they can treat the enforcement of policy seriously or they can follow the advice of the ancient Italian proverb Better no law than laws not enforced.


 

 

Phil Worms is Director, Product & Marketing, Netintelligence. The company provides comprehensive protection from the threats that use of the Internet and email can bring for both the home and the enterprise.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.