Security utopia?

As the dust settles over last year's HM Revenue and Customs (HMRC) security breach, DNV IT Global Services consultant David Cole argues that companies are never going to be safe from information security threats - but better planning and education could make the difference.

By David Cole

There’s always talk of safeguarding personal details, of banks or health trusts dumping customers’ personal records without shredding them, or a general uneasiness around the idea of identity theft.
When HMRC lost 25 million people’s details, it became apparent that, in an increasingly networked world, the many organisations entrusted with maintaining the confidentiality of personal details and companies’ information still find real difficulty in bringing together risk management thinking and the hard practicalities of security processes in order to safeguard critical information and knowledge assets.
Despite the openness the internet age has delivered, from the perspectives of privacy and regulation, companies are paradoxically under more pressure than ever to protect information and information systems from unauthorised access, use, disclosure, distribution, disruption, modification or destruction. As the HMRC incident showed, when an organisation is stretched or adapting to new structures, there’s still a way to go in keeping data adequately secured. More than ever, we think it unlikely there’s ever going to be such a thing as a ‘perfectly secure’ organisation.
At the same time, analyst group Gartner recently predicted that “information security will gradually fall back down enterprises’ lists of priorities, and chief information security officers (CISOs) and other senior-level IT decision makers will have to work harder for commitment and funding of security projects. Security leaders will need to focus less on technology know-how and more on business management skills.” In other words, the job of security could well become harder, not easier.
So how is it possible to achieve a realistic approach to security, where junior staff members aren’t posting CD-Roms but where employees are able to do their jobs effectively?

Openness increases vulnerabilities
First, it’s important to acknowledge that managing the risk surrounding information and knowledge assets is becoming more complex than ever. At one point, virus writers and hackers simply sought maximum exposure for themselves; now the attacks are more sophisticated, more targeted and harder to predict and detect. Communications convergence and de-perimeterisation as networks are opened to partners and suppliers have increased the vulnerabilities. These trends will all continue; the security function needs to be in a constant state of evolution to keep pace with the threat.
Ultimately, security is a journey, not a destination. New obstacles will always appear, whether it’s a new virus variant or a new phishing attack. There’s no one ‘magic bullet’ approach or method; the most effective risk management strategy is based on sensible security strategies, clear policies, targeted measures – and educating people, the weakest link.
This last point is of particular importance. Global and regional survey findings continue to show that, where people are involved, human error inevitably follows. In the UK, DNV IT Global Services (ITGS) commissioned an independent survey to try to understand the extent of information security processes and education in 100 businesses and government departments employing over 1000 people. IT managers were asked about their opinions on current education and training policies, whether there were a formal security policy in place and where the ‘weakest links’ lay in business information security.
Our survey demonstrated that over 50 per cent of IT staff questioned saw colleagues as the biggest security threat. Furthermore, four in 10 IT managers weren’t even able to adequately recall their last information security briefing and one in five claimed never to have been formally briefed on security policy and procedures in their own organisation. This suggests problems at the leadership level, never mind the ‘shop floor’.
This reinforces trends revealed by Ernst & Young’s 2007 global security study, which showed that half of the 1,300 organisations’ information security managers questioned met with their board of directors only once a year, or not at all. One in five said their security departments never meet with corporate executives. These findings again suggest a disconnect between executives and the wider workforce.
Do workers look to senior management for leadership and guidance on security and not necessarily get it, despite most organisations operating information security programmes? Information security may be a critical function or just another compliance hurdle (depending on the quality of senior management), but the figures suggest security can be let down by bosses who, under pressure to deliver on their daily sales or performance targets, are tempted to skate over best practice in company procedures that safeguard corporate information.
DNV ITGS’ survey also showed concern about colleagues rising in the potentially sensitive area of retail, where 64 per cent of IT managers in the sector saw work colleagues as their security weak point. This is most probably to do with the fact that Britain’s retail sector experiences notably high levels of turnover in junior and part-time staff. Given that approximately three million people are employed in the sector, this finding suggests huge potential for failures in security process.
On the face of it, overworked employees sounds like a low level risk, or an easy target for blame, but as recent events have shown, there is an overwhelming need for strict guidance, policy and procedure – day in and day out. Practical training and education are fundamental as threats such as identity theft, targeted attacks or simple mishandling and loss of company documents are with us every day.

Security without constraint?
So what can be done to deliver better employee security without constraining the capabilities of today’s typically devolved, non-hierarchical organisation? UK studies by the Department of Trade and Industry (DTI) show that major companies in particular have made largely successful attempts to put in place information security infrastructures and tools for staff to follow and use. However, the next stage is the development and refinement of organisation-wide awareness, motivation, training and adherence to risk management processes as part of the organisation’s management philosophy and staff motivation. IT managers may blame their colleagues for security breaches but it’s important to bring the situation alive for employees, to help them understand and advocate information security policy.
Interactive and accessible training for managers will help them better understand the importance of information security. For employees, it’s about adhering to best practice security procedures relevant to them and appreciating their importance. This must be coupled with continuous reminders of the need to actually implement those procedures. People forget too easily that a new day often presents a new problem.
Good education and training policies are a start but organisations also need to adopt a rounded approach to managing security risks. Security risk management is not about trying to achieve security utopia but rather providing a balanced set of tactics. It is a matter of making the correct trade among the assessment of worth of assets to the company, the impacts (cost and otherwise) relating to those assets resulting from security incidents and the cost of safeguarding those assets. In the electronic world risk avoidance is not an option. The likelihood of an incident occurring can never be reduced to zero.
On the technical front, organisations that recognise the continual business requirements to use risk management to identify appropriate information security solutions will employ technologies such as firewalls and intrusion detection systems, as any company should. However, the development of penetration testing, known as ethical hacking, should also be seen as a key component within a corporate-level risk management strategy.
Real hackers are always one step ahead, meaning it becomes a game of cat and mouse as hackers discover a new vulnerability or technique they could leverage, usually motivated by criminal gain of considerable sums of money. Thinking like a hacker and using their tools and techniques allows an ethical hacker to feed back information about a customer’s security posture and identify any vulnerabilities and the appropriate solution or mitigation. It’s an ethical hacker’s job to try and identify all vulnerabilities, providing almost a ‘criminal’s eye view’ of the system. It’s all about being one step ahead of hackers as far as possible
In one aspect, however, the HMRC incident and similar events give a sign of hope. As the UK’s Information Commissioner is now making further moves to strengthen the UK’s data protection regime, information security professionals should be prepared to take the spotlight.
The government is considering making CEOs more responsible for their organisation’s data assets, which in turn translates to “appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (to quote the Data Protection Act). In addition, Ernst & Young demonstrated that the number of organisations either partially or fully integrating information security functions with risk management operations jumped from just 40 per cent in 2005 up to 82 per cent in 2007. Information security is finally starting to be viewed by larger companies as part of effective management practice. The challenge is for this journey to continue and complete.
As the HMRC headlines become nothing more than a distant memory, the constantly evolving threat to organisations still remains. We’re now in a situation where the lure of potentially huge profits from taking online transaction sites down, and daily technological evolution creating new mutating threats, militates against the goal of the secure organisation. The internet, networked business systems, as well as laptops, memory sticks and other portable devices aren’t going to go away, meaning it’s simply impossible to implement perfect information security.
However, clear thinking on risk, relevant policies, targeted measures, and especially effective education plus wise use of ethical hacking, can make all the difference. Perfection may not be an option, but we can go a long way to achieving a realistic situation of managed risk and resources oriented to secure critical assets.

David Cole is a senior consultant in both information security and system safety, with commercial and government exposure. He runs DNV ITGS’ training department, providing courses in information security to internal and external clients, whilst continuing to act as a consultant. He is conversant with the broad range of organisational security activities. DNV’s website is www.dnv.com/itgs.