Security increases business
Businesses are spending heavily on securing their ICT. However,
new ways are emerging all the time for data to get out of – and
into – a protected system
When information technology issues jump from the obscurity of
the trade press onto the front pages of our national newspapers
it’s usually because a major security problem has come to light.
Customer details exposed to the world on the wrong side of a
corporate firewall or discs lost in the post. A virus attack that
threatens to bring global commerce to a standstill. The theft of a
laptop containing sensitive corporate information.
Incidents such as these remind us that our increasing reliance
on Information and Communications Technology (ICT) exposes
organisations of all types to some very real security risks.
Businesses, of course, are well aware that ICT systems must be
adequately protected. Indeed, according to a report published in
2006 by the Department of Trade and Industry (DTI), awareness of
security issues has never been higher. In its Information Security
Breaches Survey, the DTI
noted that the average UK company spends between 4% and 5% of its
annual ICT budget on security measures, while a healthy 98% of
businesses had anti-virus software in place.
In other words, the overwhelming majority of UK companies have
addressed the security basics of the internet age. Perhaps equally
important, the DTI found that most of the companies taking part in
the survey were seeking external advice on the protection of their
data and systems, while an increasing percentage had established
formal security policies. But, as Mike Davis, a senior analyst
specialising in information security at business intelligence
company Ovum, points out, not all organisations have fully
comprehended the range of security risks that confront them. ‘Today
just about everybody has their firewalls, their virus protection
and their anti-spam software in place,’ he says. ‘But they
aren’t
necessarily looking at the security risks posed by devices such as
PDAs or flash memory.’
The ubiquity of these ‘edge’ devices provides an illustration of
how the security landscape is changing. Five years ago relatively
few people owned an MP3 player. Today they are the accessory of
choice for huge numbers of office workers. And along with PDAs they
can be used to download all manner of confidential information.
Changing landscape
Then there are new ways of working to consider. The increasing
numbers of companies that are sending staff out on the road with
PDAs and laptops opens up another gap in corporate defences.
Notoriously, these devices can be easily stolen, along with all the
data they contain. ‘How many people bother to encrypt their data –
even their confidential data?’ asks Mike.
The message is that the security landscape is constantly shifting
and becoming more complex. Relatively new technologies such as
wireless and Voice over Internet Protocol (VoIP) are changing the
way organisations work, often making them fitter, more responsive
and more flexible. However, these new ways of working are also
raising new security issues.
The
security environment is also being changed by new laws and
regulation. Some legislation, such as the Data Protection Act’s
requirement to keep information secure, affects just about every
organisation. Although, as Ken Johnson, Senior Manager Data
Services at ntl:Telewest Business, points out, some security
requirements are sector specific. ‘A case in point is the financial
services industry,’ he says. ‘The Financial Services Authority has
set down some very tough security requirements that all companies
operating in the sector must meet.’
Underlying all this is the uncomfortable fact that the ICT
security war is one that has to be fought against a pretty diverse
range of enemies. In addition to virus-writers, hackers and
cyberfraudsters, organisations also face the arguably greater
danger that disgruntled employees will steal or manipulate
information, either for personal gain or in pursuit of some
personal agenda. Equally worrying is the thought that the act
need not be vindictive. Human error can be as damaging as a
malicious attack, especially when businesscritical data is lost or
confidential information revealed to the wrong people. And as we
saw this summer, acts of nature, such as floods, can knock out a
system more effectively than any hacker.
In essence, security should be thought of as an enabler, as the
protective shell that allows you and your customers to do business
safely. That’s an easy concept to get hold of when you’re talking
about, say, e-commerce, where secure servers are clearly vital.
However, it applies equally to a mobile working environment, where
staff are carrying customer information around on PDAs that could
be easily lost or stolen.
Security planning
So security shouldn’t be seen simply in terms of technical
fixes. ‘It’s a big subject and the technology is only part of it,’
says Ken. ‘It’s about education, planning and risk management.’
Most security experts agree that education is vital. ‘The biggest
threat to your security comes from your employees,’ says Mike.
‘They know they shouldn’t download unauthorised software from the
internet. But they still do. They know they should log off before
leaving their machines. But they still don’t.’ There’s no quick
fix, apart from education and awareness-raising, and enforcing
policies. But the real key to effective security is riskassessment
and management. Until you know what the risks are, you can’t take
effective action to address them. Once you do know you can begin to
tailor your security policies, and technology and security spend
accordingly.
Risk-management means taking a holistic view of the role that
ICT plays in your business activities. For instance, an
organisation may be communicating across both a Local Area Network
(LAN) and Wide Area Network (WAN), and deploying a range of desktop
and mobile devices. In addition, the same company will almost
certainly have a public internet connection, store huge amounts of
data on its servers and send and receive hundreds of thousands of
emails every day.
In order to plan a security strategy, it’s vital to look at all
these aspects of the operation. For instance, let’s say a company
uses a Virtual Private Network (VPN) to connect staff working at
home to the office network. That company will certainly secure its
office systems and VPN but it should also be taking a close look at
how its staff are using computers in the home. Are the necessary
firewalls and virus protection measures in place? Are the users
following the log-on and authentication policies? Are other people
using the machines? ‘You have to think beyond simply securing a
network.
You have to think in terms of security across end-to-end
solutions,’ says Ken.
The past few years have seen much greater awareness of the ICT
security issue but that has not always kept pace with developments
in technology and working trends. However, by including secure
technology to complement their solutions, suppliers such as
ntl:Telewest Business are playing an important role in ensuring
that UK businesses can continue to trade safely. ntl:Telewest
Business can provide security solutions to complement its broad
range of services, offering customers end-to-end protection:
- Customers buying a Leased Line
service can add a managed security option with all the basic
protection required. ‘It has a firewall, antivirus, antispam and a
degree of intrusion protection,’ says Ken Johnson. ‘We deliver it
to the site in a box and do all the management.’
- There are solutions for personnel working away from the office
and connecting via a VPN. Security has evolved rapidly here in
recent years. Where once it was enough to provide a secure tunnel
of connectivity on the public internet, customers now require
protection tailored to their own requirements. Often this relates
to the equipment used by the remote workers. Some companies issue
‘trusted’ devices, others allow personnel to use their own
machines. In many cases it’s a mixture of both. The upshot is that
there is no one-size-fits-all solution to securing a VPN (and
ultimately the office network). ‘So we’re moving to what we call a
granular approach,’ says Ken. This means setting up communication
rules for individual devices using a technology dubbed Internet Protocol Security (or IPSEC).
- ntl:Telewest Business has also developed its security offering
on its WAN services. For example, for
those who need it, data can be encrypted for extra security, a
feature that has enabled ntl:Telewest Business to win contracts
with organisations that deal in sensitive information as their
stock-in-trade. ‘We’ve been aiming to bring the level up to meet
the security standards required by bodies such as police forces,’
says Ken. ‘That’s been our objective and we’re getting there.’
Solutions for security and protection
We can also help with your other needs; to find out more, please
contact us.