Thursday, June 24, 2004

Secure, or Just Paranoid?

Secure, or Just Paranoid? | BankInfoSecurity.com:

By John Irving

Today's business is increasingly dependant on information systems in one shape or another. As with most things there's good and bad - easy access (good), and security threats (bad). Lets not get into the political aspects of the information revolution, but let's examine the commercial implications, and some of the inherent risks.

Most companies are making little progress in countering rising information security threats. Many business systems aren't designed with information security in mind, but for efficiency, transparency - but are these two objectives incompatible? It's not just a big company issue. Information security affects SME's as much as multi-nationals. No one is immune; even if you don't run your own IT systems anymore, it's still an issue. It's increasingly common, that outsourcing contracts include information security clauses.

Threats come from cracking, intrusion, and virus software to name just a few. Counter measures are often hardware based as software based encryption can be cracked quite easily (ask Microsoft) - but it takes time and effort to implement and maintain an effective information security system. We're talking Deep Packet Inspection firewalls, hardware based intrusion prevention, data storage encryption, data integrity, and biometric identity verification devices to name just a few.

Not all cracking activity and viruses are malevolent, some only aim to obtain email directories using addresses to replicate elsewhere, but even this seemingly innocuous activity creates major issues - the resulting increase in network traffic can clog up systems, hindering legitimate communications, with huge cost implications.

Damage to systems, and data isn't the only issue - that's mostly repairable, but the damage to a company's reputation can have huge consequences, and be difficult to put right. Financial Institutions and other organisations trade on trust. If integrity is compromised it can take years to recover, that's why many information security breaches are quietly brushed under the corporate carpet.

There's another aspect to consider. In the US the Sarbanes-Oxley Act is the latest hard-hitting piece of legislation driving IT direction and spending, and may influence UK Subsidiaries.

The UK has at least nine Acts of Parliament and industry specific regulations impacting information security including The Data Protection Act; The Turnbull Report; Basel II; and The Computer Misuse Act. Some of these statutory requirements have real teeth, and shouldn't be dismissed. Directors are increasingly been held personally responsible for corporate actions, including information security. Large fines, or worse, may await those Directors who are found lacking by the Courts seeking to enforce information security laws.

IT Directors now face a simple choice - defensively sit still and react only when something happens, or pro-actively plan to implement new IT security policies and procedures that can deliver demonstrable bottom line benefits. It's the ones that do something that will be appearing on the front pages of IT magazines in a few years time, whilst the 'do nothings' may instead be looking at a P45, or even a court summons"

No comments: