Security starts from within
In the movies, the good guy finds it easy to penetrate the bad guy's security, thereby saving the free world, because the scriptwriters are in control.
Unfortunately, despite the best intentions of security managers and regular employees, impenetrability isn't possible when you're connected to the Internet. Doing business on the Net opens one up to criminal practices that brick-and-mortars are often able to deter as a matter of routine. This problem will only increase as more people start shopping online, which is one reason why I'm grateful for the $US50 consumer liability limit on credit card fraud.
For businesses, the issue of security couldn't be more acute. Between risk of fraud and growing awareness of privacy issues among customers and partners, businesses face an uphill battle to define security policies that protect not only the data and the systems but also the company from charges of negligence.
Enterprises of every size share many of the same problems in developing a security policy. For one, security isn't a profit centre, even if you're in the security business.
Another is that most companies focus on securing against external attacks even though it has been clear for years that organisations are more vulnerable to penetration by the deliberate or negligent acts of employees and trusted contractors than they are by hostile, external sources.
I want to discuss the issues you have to resolve before you start making wholesale changes in your policies. There are at least three things to keep in mind when developing a security policy.
First, an effective security policy must address the needs of the business. This has two parts: the policy must be appropriate for the company's objectives and requirements, and it must be supported and understood by management in order to be taken seriously.
Second, a good security policy will accommodate the organisation's nonbusiness peculiarities. It's more difficult to implement a lockdown in a relaxed environment or in shops where the staff is technically proficient. Internal political struggles are another force that quickly render new security policies useless.
Too many times, organisations use such issues as a rationale for dodging hard decisions, whether it's when the policy is drafted or when it is tested under assault. Good security pros will phase in changes in a way that lets them become part of corporate culture. Accommodating your company's culture does not mean giving up; sometimes it means you have to keep working with the affected people to find a solution that will fly.
Finally, you must keep in mind that you're designing a policy that will be applied by humans. Unfortunately, humans are, almost by nature, security problems.
For example, people have a natural tendency to be helpful and to want to be liked; therefore, most of us make an effort to be pleasant and useful in our business environments.
An intruder skilled at "social engineering" exploits these inherent personality traits and circumvents your carefully designed policy by purposely misguiding your staff.
No matter what the circumstances, recognising the importance of security is critical to business survival in the coming years. Businesses that don't confront their security problems head-on are engaging in organisational self-delusion.
Needs vs nerds?
There are a number of reasons why effective information security policies are assuming greater importance in the modern business. For years, large organisations have struggled to balance the need to "get the job done" with the requirements of internal and external auditors and regulators.
As IT has assumed greater importance within the business, so has the scrutiny of its operations.
Another issue that businesses have to confront is the changing nature of working arrangements and the workers themselves. Back in the prehistory of mainframe days, members of the data processing staff were often around for years, if not decades. They knew they would be the first suspects if trouble occurred, so it was uncommon for a trusted employee to turn "rogue".
Today, it's likely that you're outsourcing key parts of your infrastructure and possibly contracting your development work. You probably have more than one temporary worker on your help desk or in your desktop support team.
Trust becomes a lot shakier in these situations, and when trouble hits, the temps are the first victims of the witch-hunt.
Permanent employees can present problems, too, of course. Regardless of whether the dotcom gold rush is tapering off, staff turnover is a constant problem for most shops.
How do you maintain trust when your most-tenured employee has been on board for a year? For this reason alone, security policies have to provide for turnover in all sensitive positions, especially that of security officer.
Although security policies must account for the fact that most problems arise from within the organisation, this does not give you licence to terrorise the organisation. Suspension and termination are big, nasty weapons to pull out on your co-workers, so make sure you can justify them all the way to the boardroom or even the courtroom.
Furthermore, nothing will damage the effectiveness of your policy or the morale of your employees more quickly than deeming certain individuals - such as your sales department's top performer - beyond reproach. In future cases, you'd never be able to apply a meaningful sanction that would stand up against charges of unequal treatment.
Most organisations could stand to beef up internal security. You might not want to run a background check on every temp in the word processing pool, but for someone coming in to a sensitive position in finance or IT, you probably ought to make some enquiries (without violating any privacy laws, of course).
Don't learn the hard way
If you're starting to document a new policy from scratch, lucky you. It's easiest to change rules and responsibilities when you're implementing a new application or operating system. Once people are used to a certain level of security, sudden clampdowns can breed fear and resentment. When that happens, you can bet that they'll start looking for ways to cut corners on security - not out of spite, but because they view the new rules as an obstruction to their work.
If you're trying to make changes to an existing policy, ease in to tighter security rather than use the "sweeping broom" approach and you'll probably have an easier time winning acceptance from your users. Be sure to communicate the objectives clearly along the way and identify the most common objections. This might give you a clue about how to make future changes more palatable.
No matter what size the organisation, you must have buy-in from the business units. Otherwise, you have a defence not unlike that of the British forces in Singapore in 1942, where every seaward approach bristled with cannon and nothing covered the causeway to the mainland. (Guess which way the Japanese came.)Business units aren't the only advocates you should seek. Getting a patron or three from the executive level for your security improvements has a number of advantages. Sometimes you have to use a really big gun on a really big target such as a star salesperson or another executive.
If you have to go up against a vice president, it's nice to have an executive vice president backing you up. But more important, executive support helps smooth the path for security improvements and may eliminate the need to pull out heavy artillery down the road.
Size doesn't (always) matter
Technology is an equalising factor, and security is no exception. Whereas large organisations traditionally have advantages in funding and other resources, they also suffer from the burden of having to scale any security solution. After all, it's a lot easier to secure a dozen servers compared to a thousand.
Regardless of size, increasingly pervasive technology brings with it the seeds of destruction. For example, well before the Melissa and "I Love You" e-mail attacks, thoughtful writers pointed out that Microsoft Outlook's new scripting abilities gave hackers a new set of vulnerabilities to manipulate. More recently, Cisco acknowledged that recent releases of its Internetwork Operating System (IOS) were vulnerable to exploitation of HTTP server software embedded in IOS that allows Cisco devices to be managed through a Web browser.
Large organisations will be more likely to suffer from attacks that capitalise on careless software integration simply because their high visibility invites a lot more random poking and prodding. But some small shops will have even bigger problems because they're both visible and vulnerable.
A classic example would be a nonprofit group opposed to the practices of an overseas government. The nonprofit group then becomes a target for supporters of that country's regime, who may have access to government resources.
Ultimately, the key is assessing your vulnerabilities in their proper perspective. Nobody's going to thank you if you go looking for traitors under every desk.
An overzealous security policy might cause more problems than it solves due to employee disaffection. Even if you can afford a disgruntled workforce, the cost of misdirected resources might be more than you can bear. Your security arrangements will look pretty tough, but like the Maginot Line (the French fortification line built between the World Wars), it will be easy prey to an end around.
One difference the Internet has made is that security can no longer be looked at as simply an us vs them proposition. A traditional security model looked like an onion, with varying layers surrounding the bank vault or whatever other booty was being protected. Today, the model looks more like a garlic clove as your IT security infrastructure now has to accommodate online customers and business partners. Web sites have to look attractive to passersby but forbidding to any assault, which is kind of like operating a Tiffany store in the South Bronx.
It's not exactly as hopeless a situation as it sounds. Government and law enforcement are starting to wake up to the problems presented by pervasive computing technology, and while that has its drawbacks in the forms of crudely drafted laws and regulations, I'd rather have them on my side than not.
Businesses are starting to realise that one of the costs of a computer system is that of hardening it from outside penetration.
Because some systems such as a Web server are designed to be penetrated (to a degree), security, inevitably, has to be compromised.
The trick, like in a museum or brewery tour, is to keep visitors where they belong.
These are the problems security and IT staff face while trying to develop security policies that everyone can live with. You have to involve the entire business, not just management. You have to know exactly how far the policy will be supported. You aren't likely to have the budget you want or even need. You will likely encounter at least a few angry skirmishes along the way.
Security is an expense, but a well-designed and implemented security policy will ensure that what money you have is properly spent.
The enterprise that fails to take its information security policy seriously won't be around to regret it.
THE BOTTOM LINE
Planning for a security policy
Business Case: A well-defined and effective security policy is understood at all levels of the workforce. It spells out rights as well as responsibilities and takes into account that the greatest weakness is the human element. A poorly defined security policy gambles the future of the enterprise by leaving the company vulnerable in the courtroom as well as in cyberspace.
Technology Case: Pervasive technology means greater risks as well as greater opportunities. Highly integrated systems mean vulnerabilities are more widespread and involve entire enterprises. Even organisations with vast experience in protecting information are vulnerable.
- Better security means less liability and fewer losses due to fraud and theft.
- Planning ahead allows you to make assignments of critical responsibilities.
- Performing background checks where needed reduces the chance that employees will be the subject of suspicious finger-pointing later.
- Survival is a business objective.
- Improving security often absorbs fiscal and human resources that could be spent on achieving core business objectives.
- Retooling an existing security plan can incite staff fear or resentment.
- Close communication with and support from business units and executive management is required.
Security is more than just a uniform
For most organisations, the concept of a "security officer" is unfamiliar territory. This position doesn't exist in most IT shops; if a company's needs call for security expertise, the usual background is "guards, guns, and gates".
This can't change soon enough for most enterprises. The security threats of the future aren't going to be thwarted by rent-a-cops, but rather by specialists in information warfare.
Whether you have an IT staff of a dozen or a few hundred, you probably have the core of a security team and at least one person with the makings of a security officer.
If you're lucky, you will be able to devote a full-time equivalent to this position. If not, this person still needs to be named, even if he or she is already wearing multiple hats.
Of course, naming a security officer is only the beginning. Authority can be delegated, but responsibility can't. To be effective, the security officer has to have rather sweeping powers, possibly including the authority to lock down the building, sever Internet connections, and otherwise disrupt normal business operations.
The need for these powers becomes apparent at a time of crisis, when it's too late to start arguing about who calls the shots.
Deciding in advance what extreme measures the security officer can take independently (and identifying those that require further authority) allows your team to focus on the real problem at hand instead of fighting amongst themselves.
It's not difficult to identify the personality traits that would make one member of your team a good choice for the role; the hard part is determining when those qualities go too far. For example, how does the person react in a crisis? If the person doesn't panic easily and concentrates on what's known about the problem, then he or she has the temperament necessary for the job, which is probably the most important quality.
You can teach people concepts, but you can't teach them to be unflappable. Other hints that someone might be worth repurposing as a security officer include expertise in multiple computing environments or an obvious interest in security issues.
One thing you must make certain of before you hand over the keys to the kingdom: this person must be absolutely trustworthy.
When hiring someone to manage security, the background check you perform must be the most thorough possible.
Depending on the nature of your enterprise, you may be perfectly justified in insisting that successful candidates meet standards not required of other employees.