When IT issues jump from the obscurity of the trade press and onto the front pages of the national newspapers it’s usually due to a major security clanger.
We’ve recently read about customer details exposed to the world and vital discs lost in the post. Viruses have threatened to bring global commerce to a standstill and laptops containing Government information have ended up in unknown hands.
According to a report published in 2006 by the Department of Trade and Industry (DTI), awareness of security issues has never been higher. The DTI’s Information Security Breaches Survey noted that the average UK company spends between 4% and 5% of its annual ICT budget on security measures, while a reassuring 98% of businesses had anti-virus software in place.
With great technology comes great responsibility
The DTI also found that most companies surveyed were seeking external advice on the protection of their data and systems, while an increasing percentage had established formal security policies. However, as Mike Davis, a specialist in information security at Ovum, points out, not all organisations have completely understood the range of security risks they face. "Today just about everybody has their firewalls, their virus protection and their anti-spam software in place," says Mike. "But they aren’t necessarily looking at the security risks posed by devices such as PDAs or flash memory."
The ubiquity of these ‘edge’ devices illustrates just how rapidly the security landscape is changing. Five years ago, relatively few people owned an MP3 player. Today they’re pretty much standard issue for just about every office worker. And, like PDAs, these can be used to move information on and off site.
New ways of working also need a going-over. The increasing number of companies sending staff out on the road with PDAs and laptops opens up another gap in corporate defences. As we’ve seen, these devices (and all they contain) can easily be stolen and as Mike rightly wonders, "How many people actually bother to encrypt their data, even their confidential data?"
Fighting a war on several fronts
The security landscape is constantly mutating. Relatively new technologies such as wireless and VoIP (Voice over Internet Protocol) are not only streamlining entire organisations, but also raising new security issues. ICT security must constantly keep abreast of new laws and regulations. Some of these are sector-specific, such as those laid down by the Financial Services Authority, while others, such as the Data Protection Act, affect just about everyone.
The valiant defenders of ICT security are under siege from a staggeringly diverse range of enemies. In addition to virus-writers, hackers and cyber-fraudsters, organisations face the arguably greater danger that disgruntled or malicious employees will steal or manipulate information. Equally worrying is the thought that such an act need not be intentional. Unavoidable human error can be just as damaging, especially when critical data is lost or confidential information exposed. And let’s not forget acts of God, such as floods, which can knock out an entire system more effectively than any hacker.
Security’s not just a technology issue
In essence, security should be regarded as an enabler, as the protective shell that allows you and your customers to safely do business. This is easy to grasp when you’re talking about, say, e-business, where secure servers are so obviously vital. However, it applies equally to a mobile working environment, where staff are lugging valuable customer information around on ready-to-steal PDAs.
Security mustn’t be seen solely in terms of technical fixes. "It’s a big subject and the technology is only part of it," says Alison Adams, Senior Manager VPN & Security at Virgin Media Business. "It’s about education, planning and risk management."
"The biggest threat to your security comes from your employees," says Mike Davis. "They know they shouldn’t download unauthorised software from the internet. But they still do. They know they should log off before leaving their machines. But they often don’t." Awareness-raising and enforcement policies are clearly important, but the real key to effective security is risk assessment and management. Until you know what the risks are, how can you properly address them via your security policies, technology and budget?
Surveying the battlefield
Risk-management means taking a holistic view of the role that ICT plays within your business activities. For instance, most organisations will communicate across both a LAN (Local Area Network) and WAN (Wide Area Network), and will deploy a range of desktop and mobile devices. In addition, they’ll almost certainly have a public internet connection, store huge amounts of data on their servers and deal with a tsunami of email traffic every single day.
Let’s say a company uses a VPN (Virtual Private Network) to connect staff working at home to the office network. That company will most likely secure its office systems and VPN, but has it also considered how staff use computers at home? Are the necessary firewalls and virus protection measures in place? Are users following the log-on and authentication policies? Are other people using the machines? "You have to think beyond simply securing a network. You have to think in terms of security across end-to-end solutions," says Alison Adams.
By employing secure technology to complement their solutions, suppliers such as Virgin Media Business play an important role in ensuring UK businesses can continue to trade safely. We can provide security solutions to complement a broad range of services, offering customers end-to-end protection.
There are solutions for staff working away from the office and connecting via a VPN. Security here has evolved dramatically in recent years. Where once it was enough to provide a secure tunnel of connectivity on the public internet, customers now require protection tailored to their own requirements. Often this relates to equipment used by remote workers. Some companies issue ‘trusted’ devices, others allow personnel to use their own machines. In many cases it’s a mixture of both. The upshot is that there is no one-size-fits-all solution to securing a VPN (and ultimately the office network). "So we’re moving to what we call a granular approach," says Alison. This means setting up communication rules for individual devices using a technology dubbed Internet Protocol Security (or IPSec).
We’ve also developed the security offering on our LAN services. For those who need it, data can be encrypted for extra security, a feature that has enabled us to win contracts with organisations that deal in sensitive information as their stock-in-trade. "We’ve been aiming to bring the level up to meet the security standards required by bodies such as police forces," says Alison. "That’s been our objective and we’re getting there."
Our solutions for security and protection:
