…with email, calendar and contact lists, a lost device that's unsecured by a password can be used to gain authorised entry into those systems. At the very least, they can be used to run up a pretty impressive mobile phone bill.
Corporations should require that despite the inconvenience, all such devices must have local passwords, subject to the same rules as those used to access the network, including format and frequency of change. They should also require by policy that lost devices be reported immediately, so kill-signals wiping all local data and rendering the device useless can be issued.
#5: Complexity of software
The fact that systems and applications have many integrated components that are difficult to individually secure is a poor excuse for not requiring multiple levels of security. Users who have been authenticated for general network access do not necessarily deserve authorisation for specific functional components of that network or even within a single integrated environment, such as an ERP.
Studies and surveys tell us that employees consider too many different passwords a valid reason for leaving an organisation; some large corporations require users to memorise in excess of 15 user ID/password combinations. Single sign-on techniques provide the ability to secure systems one component at a time on the basis of one individual access, so there's no reason to make security onerous to the user community.
#6: Degree of interconnection
This is just another form of complexity and requires recognition of the realities of the public access Internet. Supply chain processes connect raw material providers, manufacturers, assemblers, and retailers. As the saying goes, a chain is only as strong as the weakest link. Even if individual organisations within the supply chain have proper security controls in place, one lapse by one of the partners can bring the entire operation to a halt.
Consider a situation in which a parts supplier's network is infiltrated and/or compromised. All the downstream component processes can be negatively affected, either by the delay or loss of a critical ingredient or by a contaminated input, in the same manner that a glitch at the start of an assembly line brings the entire operation to a screeching halt. Organisations need to conduct a comprehensive risk assessment and try to require their partners and suppliers to adhere to adequate security controls, or at the very least, develop contingencies around the possibility of losing access to critical partnerships.
#7: Density and accessibility of media
Information is currency, and knowledge is power. Knowing this, we're all responsible for maintaining the integrity and security of the corporate data to which we have authorised access. New forms of higher-density portable media make it even more necessary to take this responsibility seriously. CDs, DVDs, flash drives and other dense portable media are capable of storing multi-gigabytes of data in a form that all too often grows legs and walks away.
Corporate users should be circumspect about how they use these media. IT security policy should require that any data moved through USB ports or any other method of creating media do so on an encrypted basis. Policy and common sense, should also dictate that these same media types never be used for single copies of any data, especially mission critical or business confidential, and limit their use to temporary movement of data from one location to another.
#8: Centralisation
Single points of failure can be security nightmares. As important as it is to secure corporate networks, systems and data, it's especially critical to do so when those assets are centrally located. Smaller organisations with limited technology resources are particularly vulnerable because they typically have one LAN room or one server rack, which is the entire network for the whole organisation.
Unauthorised access, power problems, communications glitches, protocol incompatibilities and questionable system philosophies can all contribute to catastrophic consequences. When technology assets are centralised, either as a result of limited resources or simply due to a valid design consideration, attention must be given to special security requirements to ensure continuous operation.
#9: Decentralisation
The opposite situation comes with security considerations of its own. Multiple copies of individual systems or databases must be equally well secured; one compromised copy renders the entire application suspect. One of the more difficult situations to deal with in global organisations with presences in various countries occurs where Internet access isn’t robust, consistent or reliable.
In this case, the best solution is often to install a distributed DNS server for offline synch with the main corporate network, providing a local facility that, while not real time, is at least a comprehensive copy no more than one half-day old of necessary data. Since this requires putting sensitive or confidential information out into the field, policies and procedures must be enforced that provide the same level of security for the decentralised facility as that for the main corporate network to avoid the same risks of infiltation and compromise.
#10: Turnover
Employees changing jobs represent a particularly difficult security challenge. A generation ago, you'd simply turn in your keys and go on with your life, but it's not so easy to do that when the keys are virtual entries into secure systems.
Every access granted to individual employees has to be tracked so that at departure time, those accesses can be turned off. In some cases, security systems will have to be cycled for everyone remaining with an organisation when a key employee having a deep level of access goes elsewhere.
Jeff Relkin has 30-plus years of technology-based experience at several Fortune 500 corporations as a developer, consultant, and manager. He has also been an adjunct professor in the master's programme at Manhattanville College. At present, he's the chief information officer of the Millennium Challenge Corporation (MCC), a federal government agency located in Washington, DC. The views expressed in this article do not necessarily represent the views of MCC or the US.




