Complex IT security policies lead to greater internal risk: Telstra
- 09 May, 2011 12:28
Companies have more to fear when it comes to security within its four walls than from outside because of complex security policies and an experience generation gap, believes one industry expert.
Telstra security operations senior technology architecture specialist, Scott McIntyre, told Computerworld Australia that a big problem for organisations is that IT security policies address the minutiae, rather than the wider details and staff are left confused about what they can do on the network.
"If the policy says `you must not do this or use that port’ it creates a culture of frustration," McIntyre said. "Most people want to do the right thing but if you make it too complicated for them to know what the right thing is that’s where the, shall we say, more `creative’ interpretations in policy start happening.”
For example, he said staff may say `fine, I’m going to do it my way’ and start accessing information they are not meant to do.
"That's where the risk and over exposure comes into a company, so they need to kill the silo mentality," McIntyre said.
According to McIntyre, this mentality occurs because organisations are structured in a very vertical orientation but security is a horizontal issue.
"It’s something that needs to address all of the aspects of the company," he said. "It’s a new way of thinking because you don't just turn on security it goes into understanding information as an asset. You don’t want people to walk off with a computer but data itself and the access that is allowed to that is what people need to understand."
He adds that if people keep these concepts in mind, than as they open their networks to social media or using the Internet in general, than data loss prevention can come more in focus.
"Companies can say `I have secured access to this information, and it is stored in an encrypted format’. They also know when, why and by whom that data is being accessed."
Turning to what he calls the IT security generation gap, McIntyre was quick to put out this was one of experience, not age.
“Some policy makers take the deny all access approach and that needs to be revisited," he said. "Have you, as an IT security manager, realised that there is a benefit for your organisation by using these technologies such as social networking to engage with customers? They can be managed securely without people posting everything online."
McIntyre also said companies could avoid security headaches by not deploying what he called "archaeology ware" or old software.
"Companies are not using the most up to date soft ware that they should be using internally and they don’t necessarily have a good patching program in place. They don’t have an incidence response team or that view to security or data integrity."
He also took issue with managers who see IT security as another cost centre. Rather than taking the "do more with less" approach, McIntyre warned that now is not the time to skimp on costs.
"More organisations have to wake up, plan accordingly and find space in the budget," he said. "That’s what it is to be a good IT corporate citizen these days, you have to care about the data you have within your organisation."
On another note, McIntyre who is a self confessed Apple fan, said tablets such as the iPad 2 needed to be allowed for in policies.
“I have been poking at my new iPad2, I’m not an Apple security expert, but I take my own computer security extremely seriously with malware and firewalls.”
He isn't the only one to have taken a crack at the iPad 2, US iOS hacker George Hotz recently jail broke the iPad 2 after accepting a challenge from another hacker, Joshua Hill.
McIntyre is scheduled to present at the upcoming security conference AusCERT in May.
IDG Communications is an official media partner for AusCERT 2011.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU