Essential it may be, but technology presents a security nightmare for careless companies—a £10bn a year headache for UK companies overall, according to a DTI study from 2006.
It is vital for businesses to have some kind of information security strategy in place, one that is pragmatic in identifying risks and plotting subsequent actions to minimise damage.
Easier said than done, though. Management tends to react only when things break, so often the safest short-term strategy is "don't fix what ain't broke" Since security is usually a process of monitoring new threats and detecting vulnerabilities, combined with deliberate intervention to make systems more secure, the "leave it until it breaks" approach is dangerous.
Many directors often fail to ask the right questions, and technical staff have developed skills in fobbing them off. IT people have a well rehearsed habit of giving literal and sometimes technically correct answers to questions, rather than thinking: what is this person concerned about, and how best can I help them? Don't be afraid of asking questions that might result in technical answers as you can probe for explanations. Anyone who really understands IT security will be able to explain things in relatively simple language. Getting bombarded with technical jargon is a sign that someone might be covering up weaknesses (or perhaps they don't really understand it themselves).
This is the essential starting point for a DIY risk assessment. By asking the right questions, you will ensure you're more informed, and in the process will be helping your technical staff to focus on security improvement processes. If you develop the appropriate risk assessment approach, your protection will be more cost-effective than the inevitable impact and necessary response.
Here are some essential questions and the areas they address:
• "Is system X secure?" This simple question will most likely be answered "yes". But no system is 100 per cent secure, so this is misleading. Much better to ask: "Where are our greatest vulnerabilities?" This forces a considered answer, and gives you clues as to whether the person you are asking has given security any substantial attention.
• "Is our remote access secure?" This question is also likely to get the "yes" response. The reality is that any method of remote access has a number of areas of vulnerability that need to be considered and balanced with the business benefits. Instead, you should ask: "What countermeasures are we using on our remote access to help with security?"
• Don't fall into the trap of asking: "Are we a target?" You'll get an answer such as "No, we aren't a bank". Unfortunately, everyone is now a potential target. Often, just looking insecure is enough to attract the wrong attention. Any system attached to the Internet will be scanned many times each day by malicious hackers looking for soft targets. Instead you should ask: "Which of our systems is exposed to the Internet and what do we do to protect those systems?" Beware of the "don't worry, we have a firewall" response. Most modern attacks use techniques to get through simple firewalls.
• The previous question might lead you into the subject of back-ups. Instead of simply asking: "Are back-ups working?", ask for details about what information is included, and, more important, excluded from back-ups. Asking for details of how often back-ups are tested can be revealing. You should also take a look at how you protect your back-up tapes, given that they usually contain all of your most valuable information in an unencrypted form.
• By now you may be wondering how bad your security really is. You might therefore ask: "Did we have any security breaches last year?" As you might expect, the likely answer of "no" is not going to help. As detection of breaches can be technically challenging, this could be translated into: "We really don't have a clue". Better to ask "What methods do we have for detecting and/or reporting breaches of information security?", or you could go further and ask "where are the gaps in our ability to detect information security incidents?". This is more likely to give you a good indication of whether you are detecting the breaches that occur, and understanding your risks.
Ian Mann is senior systems consultant at information security consultancy ECSC
Posted 10 May 2007 : Director.co.uk