Security is not an area newly arisen in the wake of the 9/11 tragedy. There have always been reasons to be concerned: conflicting priorities, business environmental factors, information sensitivity, lack of controls on the Internet, ethical lapses, criminal activity, carelessness and higher levels of connectivity and vulnerability. It's a trade-off between limiting danger versus affecting productivity: 100 percent security equals 0 percent productivity, but 0 percent security doesn't equal 100 percent productivity.
No one wants to be controlled. It's demeaning and stifles productivity, and we resent the implication that we can't be trusted not to break our own networks. On the other hand, organisations have to decide how long they could operate without computers or networks and how reliant they are on the availability and accuracy of data. Absolute security is unattainable and undesirable, so proper security controls seek to reduce risk to acceptable levels.
#1: System penetration threats
There are all kinds of ways in which systems can be compromised. A popular expression during World War II was "Loose lips sink ships", which was meant in a possibly somewhat paranoid way to heighten awareness that you never knew who was listening to you, even over a beer at the local pub. Most of us routinely have contact with other professionals, whether at industry gatherings, social events or at any number of other venues. It's all too easy to accidentally disclose critical information that can be used, however unethically or even illegally, to benefit one organisation at the expense of another.
Carelessly discarding access codes and other kinds of personal identification information without shredding them has made dumpster diving the number one method of obtaining this kind of data. Systems that are poorly or inadequately secured (single-level security, easily guessed passwords, unencrypted data and so on) are an invitation to problems ranging from low data quality to unauthorised infiltration.
Networks can be easily breached due to poorly maintained firewalls and/or virus and spam filters. Security budgets must be adequately funded; management literally puts organisational survival at risk by viewing funding for security measures as a no-return or discretionary expense. Taking responsibility for our own actions (or inactions) coupled with a solid comprehensive security policy is the best defence to prevent breaches from occurring in the first place.
#2: Internet security realities
Originally built for military use, the Internet today incorporates little inherent protection for information. Administrators at any Internet site can see packets flying by and, without adequate encryption, messages are subject to compromise. The Internet doesn't automatically protect organisational information — companies must do so independently. Without adequate control, and even with it, employees can access just about anything and bring it in-house. External intruders can access networks and PCs. External message sources typically can't be found, and message senders don't know who else, in addition to or instead of the intended recipient, is reading the message.
The hacking community is increasingly organised, and by co-operating with each other, networks can be even more easily, and profoundly, compromised. The Internet is an open, uncontrolled network that doesn't change to suit organisational needs. Identified exposures are not automatically fixed, and most security problems on the Internet are not really Internet problems. Organisations must assume a potentially hostile environment and protect themselves through full message encryption for sensitive information, digital signature for message authentication, high quality maintained firewalls and other filters, employee communication and awareness programmes, and any inbound controls that are at least adequate without being excessive.
#3: Portability of hardware
Corporate road warriors travelling with laptops represent a variety of security challenges. Larger, faster hard drives and more powerful processors provide the ability to download and use local copies of sensitive or confidential databases. Ubiquitous Internet access allows us to stay connected with the same networks and systems we use in the office. Web-based services such as Groove can be used to circumvent corporate document policies.
Laptops need to be secured with at least two-phase security controls consisting of a combination of encryption, local user ID/password combinations, biometric devices and so on, and organisations need to implement and enforce strict policies on technology use while travelling.
#4: Proliferation of new communication methods
Does your organisation provide PDAs such as BlackBerrys or Treos with network connectivity? Are these devices secured in any way? Many companies have little understanding of just how big a security threat these handy little gizmos represent. Typically connected to central corporate services, such as Outlook or Notes, and providing continuous wireless automatic synchronisation…
