Insights and ideas

Security for businesses and government:

To say recent years and the immediate years ahead have been characterised by uncertainty is an understatement.  Economic conditions have put everyone, businesses small and large, governments and individuals, on edge.  But in 2010, three things, at least, are certain. 

Firstly, information security will continue to improve, because the technologies to counter threats are evolving every day.   Secondly, however, the security of information – corporate, commercial and personal – will come under more threat than ever before.  The ‘arms race’ between hackers and IT security professionals is becoming more fraught and the stakes are getting higher.  Thirdly, the issue of information security will become more and more of a mainstream topic, discussed in mainstream newspapers and on mainstream television channels.  Already, Google’s decision to cease its censorship in China due to suspicious attacks on data held on its servers has been one of the biggest news stories of the year.

Security is and will continue to be A Big Deal.  And many of us who have an interest, professional and otherwise, in it will talk at length about the role of technology in tackling the information security challenge.  What will happen as a consequence, however – what always happens – is that an inconvenient truth will be forgotten: that security starts with people, not technology.

Our latest white paper, ‘IT Security: 6 things you wanted to know in 2010 but were afraid to ask’, tackles security issues for the enterprise that have been swept under the carpet but that will need to be dealt with in 2010.  What is notable about most of them is that although the issue in question has a technological element, the solution typically rests upon better management.

This is the point too frequently that gets lost in translation between technologists and businesspeople.  You can have the best technology-centric security measures in place – firewalls, data encryption, ID systems, intrusion monitoring and so on – but they are subject to fail if they are not supported by the proper processes.

Take cyber crime, which many believe is the biggest threat to corporate and government data.  It’s a threat that has long been debated at a political and diplomatic level.   As far back as 2002, in fact, the FBI announced its “number three” priority was protecting the United States "against cyber-based attacks and high-technology crimes." Since that time, the problem has grown exponentially.  In May 2009, US President Barack Obama announced he would create a new White House office of cyber security, and other countries have been quick to follow suit.  It paints a picture of a very modern battlefield, one that itself exists “in the cloud”, with skirmishes being fought daily over data carried via the internet and networks.

Can we truly protect ourselves?  Or is damage-limitation the best we can hope for?  To be frank, there is no easy panacea to this problem.  There is no single product or service that can be plugged in and means your data is safe.  Technology married to good education and management are the key.  Too many organisations think that plugging expensive new kit is an automatic solution.  This is not the case.

The very language we use is a problem. The term, “cyber-crime”, leads us to forget that the data still starts and ends with a physical machine, and so the physical threat is frequently overlooked.  You can have the best technology in the world, but it won’t help if your office cleaners are easily able to smuggle information out of your building on a data stick. 

Ultimately, what is needed is a combination of good corporate policy, married to effective technology.  Far too often, we see one without the other and, in 2010, this is not good enough.  Ensure you have the appropriate technology in place, sure.  But link it up with effective policy adherence – rigorous testing, monitoring, recording – such as is demanded by ISO 27001 (BS7799) the Information Security Management System ('ISMS').  And ensure that policy is in place for follow-through.  Detecting and countering an attack is one thing – tracing it and building a case against an attacker is another.  You need to be able to trace it and build up the chain of evidence so that, should you ever need to take someone to court, there is a proper chain of evidence.  This means your IT people need to be trained to log dates and times properly, and your legal department will need to be involved to ensure your policies adhere to privacy laws.

Social networks are another favourite topic.  As soon as it became apparent that people were using their work as well as their personal internet connections to log on to external sites to share information – and, potentially, data – organisations began voicing their concerns.  The worry was, and still is, that sites such as Facebook and Twitter might at best reduce people’s productivity and at worst pose a threat to information integrity.

Of particular concern has been the theory that the incoming generation of employees, reared on the internet and potentially blasé about security, will pose a major challenge for management.  ‘Generation Y’ spends it time living an online lifestyle and will soon be a vital, if not dominant, demographic among the global workforce.  Fighting it does not strike me as logical.

The anxiety surrounding Generation Y and social networks stems from a fear of the unknown.  Generation Y uses a different vocabulary, follows a different culture, has different demands, demonstrates a high speed of learning and has different expectations. They push the boundaries of older management.

But is this a threat? The pace of change in terms of new media and social networking tools will frequently continue to outstrip our ability to check for technical security threats and counter them.  The convergence of external and internal applications will proceed at pace and, certainly, the risk of data leakage is a real one as people (of all generations, but particularly younger employees) increasingly blur the boundaries between their public/private and personal/professional lives.

That said, the longer organisations spend debating the threats, the higher the danger that they will fall behind the curve when it comes to exploiting opportunities. The trick is to help people manage the fuzzy boundaries between their public/private and personal/professional lives.  At their heart, social networking sites are about collaboration and sharing ideas.  Both of these things are the very lifeblood of innovation and organisations must find a way of embracing rather than banning them. 

Worrying about whether employees will ‘waste time’ chatting on Facebook is only a modern incarnation of worrying if they’ll ‘waste time’ chatting at the water cooler.  Social networks present no more of a risk to data than an email account.  It is what people do with the data that is the point.  It is possible to make any web-based tool secure, with the right technology, the right training and the right level of awareness among the workforce.  And so, again, education is key.

The threats to corporate and government organisations are many.  They are real and present.  But they are not insurmountable.  The sooner we focus on the ‘can’ rather than the ‘can’t’ the better for everyone.  Taking technology out of the debate is a good start.  A technology arms race is self-defeating.  Our best defence against most threats is education, awareness and good old fashioned management common sense.