Although hackers and virus writers are the perennial bane of the IT security manager's life, they can sometimes be a Godsend – helping, as they often do, to raise awareness among Members of the Board that information and data security issues must be addressed at all times. Once that hurdle is overcome the key to tailored security systems and policies lies in making sure the initial risk assessment is conducted thoroughly and accurately.
Read almost any IT-related magazine – not to mention Security Management Today and often one of the national newspapers – and somewhere along the line there's likely to be an article about the latest virus (MyDoom and DoomJuice being the most recent examples), hacker attack or another form of IT security breach. It's big news, particularly when hackers have brought down the IT systems of an international bank, or denial of service attacks have rendered thousands of customers unable to place online orders.

When scanning such articles, you start to think of the hacker or virus writer as the bad guy. That's most certainly the case, but publicised security breaches often result in other corporate concerns taking notice and determining to review their own data security procedures. The more high profile the breach, in fact, the more senior people notice in other organisations. Thus security breaches of this kind aren't all bad news.

Some of the biggest problems faced by the IT security system vendor community include end user organisations' general complacency, lack of budget and their "It will not happen to us"-type attitude.

For the most part, advanced security tools are perceived as being nice to have rather than a vital part of the IT system. Even today, there are plenty of Board Members who believe that as long as they have a firewall and an anti-virus system in place they're well protected.

The initial risk assessment
Other IT solutions including CRM systems or document management software can often provide a proven and measurable return on investment, whereas security – as many in-house practitioners will know – is rarely able to do so. Therefore, it's often difficult for the IT security team to convince the Board that spending beyond the very basic security infrastructure is a worthwhile investment.

Be sure that as budgets are tightened, the increased functionality and flexibility provided by advanced security systems such as Secure Socket Layer Virtual Private Networks (SSL VPN), advanced authentication solutions or biometrics, for example, will matter less than the anticipated return on investment.

Once Board Members have realised the benefits of investing in security before any problems arise as opposed to after the event, your battle is already halfway won. All that's needed then is for the IT and Security Departments to ensure they make the right recommendations for tools and solutions that will practically serve the company's needs.

The IT and Security Departments mustn’t fall into the trap of assuming they know what their users are actually doing on the network, how they deal with existing policies and what they really want the IT system to do

The key to comprehensive, tailored security systems and policies lies in making sure the initial risk assessment is conducted thoroughly and accurately. The IT and Security Departments mustn't fall into the trap of assuming they know what their users are actually doing on the network, how they deal with existing policies and what they really want the IT system to do. They must spend time talking to users at different levels and in different departments to find out not only what potential security gaps exist that can be filled, but also how security might be used to help the business run on a day-to-day basis.

Security: the complete picture
There's much more to information/data security than preventative measures like firewalls and anti-virus systems. Security can enable businesses to open up systems to partners, allow end users to log on from home, enable the secure distribution of information between relevant parties, guarantee that you know who's logging on to any system at any given time and ensure that your IT systems actually help you conduct business in a practical and meaningful way.

By using security systems, companies can make sure that their IT infrastructure lets them do business in the way that suits them best instead of restricting users.

For example, one area that users find very frustrating is being asked for different passwords to log on to different applications or areas on the network. By putting up barriers of this sort, companies are actually risking greater security breaches because the more passwords users have to remember, the more likely they are to re-use passwords, never change them or simply use easy-to-guess words.

A recent survey showed that over 50% of users write passwords down at least once. Approximately one-in-20 users write every password down. A major security issue, then.

An alternative solution?
Instead, take the situation where the user has an authentication token or 'key' which they plug in to the USB port, type in a PIN and their identity and level of authorisation is then immediately known. The initial authentication is inherently more secure than user name and password because it relies upon 'something you have' as well as 'something you know'. In addition, the user is happier because they don't have to keep logging on to different systems with different user names and passwords.

Source

SMT

Postscript

Andrew Armstrong is UK and European marketing director at Rainbow Technologies (www.rainbow.com)