Policing the people

Despite the numerous advances in security solutions, viruses, hackers and internet worms continue to breech defences. What local companies have to realise is that user behaviour is both the strongest and weakest link in any organisations defences. As such, security polices and their successful implementation is key to protecting businesses.

  • E-Mail
By  Patrick Phelvin Published  October 28, 2003

Introduction|~||~||~|The threat from hackers, worms and online thieves is growing rapidly. While there is a huge number of products and services on the market that promise to negate these risks, advances in security technology are meaningless unless a company has a disciplined, well thought out and effectively communicated security policy in place.

Within the Middle East, security is often seen as a side issue to a company’s core business, a matter that is only raised in the boardroom as a knee-jerk reaction to a well-publicised virus like Sobig or after a costly hack makes the headlines. As such, the majority of market pundits believe local companies need to raise their game or face the consequences.

“The unfortunate reality is that awareness and interest in security tends to boom in the aftermath of a major disaster or high-profile security breach, and then quickly fades away shortly afterwards. There’s an inverse rule to business interest vis-à-vis security issues. Immediately after a major incident, nine out of ten senior managers will make security policy their top priority,” says Daniel Nufer, managing direct of ComGuard.

“With every week that passes, half that number will get caught up with something else, and security gets pushed off the agenda. After about five or six weeks — with a few exceptions — everybody’s talking about something else. Then another incident happens, and the cycle starts again,” he adds.

Waiting for the next disaster to kick-start a discussion about secuirty policies is not a responsible way to manage the issue and it should be actioned immediately by any company without the necessary protection. However, just who should take this action within an organisation appears to be a problem in itself.

“One of the big problems we’ve got is that perceived ownership inside the organisation sits on the IT managers’ desk… People understand the importance of it but perhaps they are not actioning it,” says Kevin Isaac, regional director, Symantec Middle East & Africa.

“If you were to go to a small-to-medium sized organisation, for instance, the managing director would tell you that he has a personal interest in insurance policies, the staff’s health and welfare and the company fire alarms. But if you ask him if his antivirus is up to date, he will tell you to speak to the IT manager. That’s the chasm that we’ve got,” he adds.

The main reason for the apathy appears to be a ‘it won’t happen to me’ attitude. But a recent study by Gartner Group reveals that by 2005 a fifth of companies will experience a serious breach of IT security. Statistics like this should be awake-up call, especially to those companies holding sensitive third-party information on their systems. But there are other benefits, like cost savings, to encourage companies to re-think their security policies.
||**||Cost relation to security issues|~||~||~|
“A number of companies ask themselves why someone in the accounts department needs to receive Mpegs or AVI files when there is no business requirement. By limiting the sort of information that comes in and out of the company the security risk is reduced and money saved because it uses less bandwidth,” says Justin Doo, managing director, Trend Micro Middle East, Africa & Benelux countries.

“Cost savings and security issues are far more closely aligned than they have been in a long time and this link will continue to grow as awareness of security matters increases,” he adds.

Despite Doo’s belief that security and reduced costs are closely integrated, it is something security solution providers and IT managers find difficult to communicate, becuase just how much a successful security policy impacts on the bottom line of a business is arbitrary.

However, managing directors would do well to note the true cost of dealing with a security breach, which can be astronomical. ISCA labs, for instance, reported that the average cost of dealing with the recent MSBlaster virus was US$475,000, with some larger node-count companies losing more than US$4 million in remediation and productivity.

“Only when top management sees what the dollar value of their data is will you see some quality policies and procedures,” says Vernon Fryer, head of information security, Information Management Technologies (IMT).

Companies with a minimal understanding of security can implement high quality policies by following benchmark international standard for IT security management systems, such as the BS7799 and the ISO17799.
The BS7799 highlights flaws in an organisation’s security system, as compared against threats such as unauthorised access or use of resources (authentication), leakage of information (confidentiality) and corruption or unauthorised change of data (integrity).

Finance houses in particular are looking at benchmarks such as BS7799, both within the local market and internationally. The motivation for this stems from the introduction of new standards across the banking & finance industry, such as those created by the BASEL Banking Committee, which are designed to govern internet banking and address its vulnerabilities.
||**||Implementing policy|~||~||~|
For instance, the introduction of these standards led Commercial Bank of Dubai (CBD) to appoint Aizaz Zaidi as assistant manager, IT security & quality assurance.

“When I joined in 2002 there was no single document for people to follow, just some general security procedures. My first task was to implement the benchmark BS7799 standard. That is where I wanted CBD to be,” says Zaidi.

“I started a gap analysis to see where we needed to be and where we were. The results were quite surprising, although the system was fairly secure we had a lot of work to do to,” he adds.

Something like gap analysis is essential to the creation of an effective policy as only once threats have been clearly identified can they be addressed. And, although the nature of a policy will differ from organisation to organisation, there are some universal elements that should be considered by all.

First up is the physical security of a network, which must have the proper procedures attached to it to ensure only the right people have access to the right information or services. Good access control includes managing remote access and enabling administrators to be efficient in their work. It should be kept simple to cut down on the likelihood of administrator error.

The type of authentication used varies, depending on from where users are authenticating. From their desk, a simple username and password may be sufficient because of the accompanying physical security. When a user connects from afar, a more secure type of authentication may be necessary. In terms of remote access to sensitive information, encryption, for the most part, is vital.

Furthermore, because users are widely recognised as the Achilles heel of system security, a security policy is nothing if it is not effectively communicated to them. If employees do not understand the power and proper use of the network, they can unintentionally compromise security or be duped into it. In particular, employees must manage passwords properly.

“There’s no doubt in my mind that the biggest thing lacking in the industry is the people,” says Fryer. “Awareness about security has been created, but unfortunately that awareness has not filtered down to the desktop user as quickly and as rapidly as it should. People are aware of viruses and that’s about it,” he adds.

As users are identified time and time again as the weak link in a security system, companies have to be ever more creative in the way they communicate policy to their staff. Some firms are tackling the issue by distributing coffee mugs and mouse mats with IT security tips printed on them. More severe method of getting the message across include the circulation of a monthly blacklist featuring the names of the organisation’s worst offenders.
||**||Communicating policy|~||~||~|
Zaidi agrees that communication of the policy to users is critical to its success and CBD is developing an education programme to ensure users are aware of their responsibilities.

“At CBD we have started a programme of raising awareness about security policy. You can have the world’s best password protection system in place but it is rendered useless if staff start giving their passwords out. That is why it is so important they [the users] are properly informed and included in the process of system security,” he says.

After the policy is developed, a thorough evaluation should be done to ascertained if the objectives of the policy have been achieved. Organisations must assess if their policy complies with law, their duties to third parties and whether it compromises the interest of employees. An evaluation must also ask if a security policy is practical, workable and likely to be enforced.

BS7799 recommends regular audits, as frequently as every six months for critical systems. Furthermore, without sufficient auditing, a company may have no legal recourse if there is a security breach. Auditing can also identify problems before they turn into breaches. The policies must be reviewed regularly to ensure they are still relevant, especially if an initial policy document is kept simple.

“What I have noticed in the audits is that people are implementing extremely secure systems but are not managing them properly. And why they are not managing them properly is because of the lack of proper procedures and policies,” says IMT’s Fryer.

Fryer says writing an effective policy is not rocket science. The end result should not be an unreadable 60-page tome, consigned to the filing cabinet once signed off, but a flexible, concise work. “People are creating extremely thick policy documents and a typical example of a corporate security policy is sometimes 50 or 60 pages. This normally should not be the case. A policy document should never ever really be more than five pages. It should be considered as a guideline from top management,” he adds.

The benefits of a well constructed and professionally implemented security policy are numerous. For the region’s banking community, one of the biggest pluses is client reassurance.
“The security improvements give us a marketing edge, especially as we are going into internet banking. There is no legal requirement for us to meet the BASEL recommendations but they are a good standard to work towards. It gives clients confidence that our systems are secure,” says Zaidi.

Habib Bank AG Zurich is also reaping the benefits of a well-planned security policy. The bank launched multiple delivery channels for its client base three years ago. Habib Bank was one of the first banks in the Middle East to offer secure WAP banking and multiple products through its internet banking arm, HBZweb, and its event-based SMS messaging service, HBZgsm.

So far, Habib Bank’s system security remains unbreached. Amer Farid, HBZ’s assistant vice president, says the policy has proved successful because IT staff worked with employees of all levels, including directors, to ensure a holistic approach was taken when designing and implementing the document.

“An effective policy covering all aspects of security, not just viruses, is important and what is more critical is actually implementing it within the infrastructure. Unfortunately a majority of IT managers are not in a position to think beyond the virus threat,” he explains. “Security was not considered a single element residing somewhere on the network, like a firewall. It was a design principal for all tiers and layers of the application, the required software infrastructure and the physical infrastructure. In short, it was integrated security across the board,” Farid adds.
||**||Future developments|~||~||~|
While security remains one of the key issues of the day, how it will develop remains to be seen. Development in the banking sector has been driven by formal framework and international standards.

Off the back of that the US Government is considering legislation to require companies which hold third-party information on their systems to meet more rigerous requirements. But much of the IT industry remains wary of government interference in security matters and security solutions providers are gearing up for a court battle to prevent the legal governance of policy management. They believe more red tape would stifle economic growth.

“Symantec supports people being free to policy manage themselves because the last thing we want is an environment that’s restrictive and doesn’t help market-driven forces to grow economies and businesses,” comments Isaac. “The private sector has shown it can be responsible and creative in dealing with these security threats,” he adds.

Where next?

British Standards Institute (www.bsi.org.uk)
ComGuard (www.comguard.net)
Gartner Group (www.gartner.com)
IMT (www.imt.com.sa)
Symantec (www.symantec.com)
Trend Micro (www.trendmicro.com)

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code