To do their jobs efficiently people are placed in a position of trust, with access to sensitive data and systems. You cannot just rely on their goodwill, says Declan Grogan at Security Designers. Temporary, careless or rogue employees can cause real problems.

Conspiracy or complacency? It should be recognised that to allow people to do their jobs efficiently we have to place them in a position of trust, with access to sensitive data and systems. Given the evidence, however, it is no longer adequate to rely purely on goodwill and faith. There are a number of areas that provide potential risks.

Temporary staff At times of peak load, temporary staff often arrive on site on the first day, direct from the supply agency, without interview or other screening process. Of course they come with the Microsoft Word and Excel skills that we specifically asked for, and that is demonstrable in minutes, but what other skills are they also armed with? Having probably worked in a greater variety of environments they are probably more adept at finding their way into nonprotected space. What privileges do we ask our network administrators to give these people when, after all, we expect them to do the same work as a full-time member of staff?

Rogue and careless employees The obvious primary candidate in this category is the disgruntled employee, overlooked for promotion, supposedly undervalued, denied a reserved car parking space, or just plain got out of bed on the wrong side. The next candidates in this category are under-utilised employees who find themselves with time on their hands during the working day in which to experiment and investigate. For whatever reason, at a given moment in time they are not the best friends of the company. The careless employee is the one that leaves their password written on a piece of paper in the top drawer of their desk, or who walks away from a terminal leaving it connected to a valuable data source. The careless employee is not necessarily malicious and in most cases is not aware of the potential impact of their actions, because nobody has made it clear to them.

Whatever the nature of the internal breach, the cost of remedying the damage done is potentially very high – assuming that you are even aware that the breach has occurred. do you stop company confidential information disappearing out onto the Internet at the touch of a button? Or stop the joke application that is sent to you by a friend downloading information via a Trojan to a hacker on the Internet? Virus protection certainly has to be a priority here, on both the workstations and the mail servers. Careful consideration should also be given as to who should be able to send mail attachments, and also to the implementation of scanners that check mail content to stop people sending out unauthorised confidential material. Another threat associated with email, and one that has led to well-documented cases of very costly lawsuits, is that of email content and defamatory remarks being issued via corporate email to the outside world. The word ‘policy’ applies here as elsewhere.

Poor network policy Modern PC systems are designed to talk to each other very easily, and the average school leaver has plenty of familiarity with them. The ability to browse the internal network opens up the possibility of seeing data on all sorts of internal systems and other users’ PCs. It is quite conceivable that in a poorly secured environment a user could gain access to the information held on a senior manager’s PC. The paper copies of the management accounts of a business are kept under lock and key, but often it is easy to access this information on poorly secured servers or PCs. This is worsened by the fact that all sorts of tools can be downloaded along with documented backdoors into desktop and server operating systems. Once again, policy along with appropriate traffic management and auditing go a long way to protecting sensitive data.

Policy does not apply to me! Having a policy is all well and good, but it must be enforced. Often threats can emerge from users who feel encumbered by the policy and who don’t recognise the reasons behind it. A common example of this may be surfing the Internet. Users who want unfettered access may be tempted to use a modem for direct access to the Internet, thereby circumventing perimeter security measures such as firewalls (which are an absolute must for external defence). Hackers can come down this modem line using a technique known as ‘polevaulting’, and gain all the privileges associated with the device that has the modem attached to it. It should also go without saying that modem numbers should be well protected and not distributed. A policy is only useful when properly understood by everyone and when enforced rigorously. To do this managers must be able to see any contraventions easily and be able to evidence them so that appropriate action may be taken.

The victimless crime? One of the challenges with computer security is the idea that it is a victimless crime. If an internal hacker copies a database of customer details, the company still has the database and therefore they may not see it as a crime. It is, however, and the victims are all the people who suffer as a consequence should business levels drop off because a competitor has their customer information. People often do not realise the financial impact of the time spent to rebuild systems after a vandal has destroyed data, or the loss in service to customers. It all has an impact, and we have a duty to minimise the opportunities for these types of incidents. We invest in burglar and car alarms. We generally understand physical security because we can see and touch it; but data is often overlooked until it is too late. Try throwing away your computer and what do you miss – the machine or the information on it? We do not leave the keys to the building, the managing director’s office and the filing cabinet on a hook by the door, and corporate data should be treated with the same, if not more, sensitivity.

Board responsibilities There are now a whole host of legal and regulatory requirements detailing the responsibilities of the board or a business owner to ensure that information stored on computers, particularly personal information, is protected from improper use or access. These include:  The Data Protection Act 1998;  The Human Rights Act 1998;  The E-commerce Directive;  The Unfair Contract Terms Act 1977;  The Regulation of Investigatory Powers Act 2000;  The Electronic Communication Act 2000. The Turnbull Report, issued in 1999, provides a framework to help interpret the ‘Combined Code on Corporate Governance’, which is appended to the Listing Rules of the UK Listing Authority. Companies listed on the London Stock Exchange must show that they have assessed the risks to the organisation and that policies are in place to ensure that, as far as is practicable, the potential for damage or loss has been reduced to realistic levels. Although directed at listed companies, the findings of the Turnbull Report are equally applicable to, and make business sense for, other organisations.

The report states that ‘the board of directors is responsible for the company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that will enable it to satisfy itself that the system is functioning effectively. It should ensure that the system of internal control is effective in managing those risks in the manner which it has approved’.1 Dependence on IT for many firms means that the financial consequences of any loss of information or breach in security should be considered. This needs to be reviewed not simply in terms of the information itself, but also for the cost of preventing further failures and the impact on the company’s reputation, brand value, performance and future potential.

BS 7799 (ISO 17799) The British Standards Institute (BSI) has published the standard for an Information Security Management System that offers external audit and certification to a recognised British standard, and many organisations are now looking to this as a benchmark for good practice and as a measure of those with whom they wish to trade electronically. This provides an excellent framework for the establishment of the policies and procedures that will allow organisations to protect themselves from security threats, both internal and external, but it also provides a structured manner and common measure for all organisations. Although formal take-up through the externally audited certification route has been slow, the pace is now quickening with the UK Government mandating compliance across departments and government tenders now making statements about preferred bidders being compliant. When taken in conjunction with the legal aspects of information security, the Turnbull Report and the growing nervousness of the insurance market, BS 7799 and information security management are certainly going to enter the boardroom agenda in the coming months.

A final word on security Management systems must be put in place and a series of checks and reporting methods established. At the very least a clear and unequivocal security policy should be put in place and staff should be trained to understand its relevance and its requirements. Some of the harm arises from people failing to recognise the value of the data, as pointed out in the 2002 DTI survey that estimates a cost to UK business of some £18 billion per annum. In general, behaviour is the only way in which we can spot potential data thieves or vandals before the event occurs. This is down to good and sensitive management, and an awareness of staff abilities, life issues and work patterns is essential. Any change in these could be a trigger for such an event. Monitoring the overall behaviour of people and watching changing patterns of work is also a good way of establishing potential weaknesses. Who is in the office when no one else is – early in the morning or late at night? Is it conscientious work on your behalf or theirs? We should not, however, be paranoid about people on a personal basis. Most people should understand that your organisation has a security policy and that it is enforced. Equally, it is useless to set a policy if you have no intention of enforcing it, and it is unfair on managers to expect them to implement one without giving them the tools for the job. Once it is understood that the policy is in place and that the tools are there to protect systems and give managers any forensics they may need, all but the most determined data thief/vandal will be put off.

There is no such thing as the perfect system. There is no bank that cannot be robbed, only those that are so strongly protected that softer targets are chosen instead. Security is provided not by one device but by a range of devices, systems and management procedures, built up in layers like the skin of an onion. The outer skins may get damaged, but the inner core is preserved. There are lessons to be learnt from the disaster recovery business, where corporations have had major fires that destroyed their core assets. Because their corporate information was secure and they had systems in place they were able to continue, unlike those who didn’t and perished. Capitalising on over 20 years experience developing some of the communications protocols at the heart of every Microsoft Windows communications platform, Security Designers Ltd is a privately owned, independent UK-based software company. Emanating from connectivity specialists Network Designers, Security Designers was set up in 2000 to sell and market the award winning Active Net Steward Security Information Management System (SIM) and now has a growing base of UK government, NHS, education and commercial sector organisations, and is quickly establishing a reputation as a leading supplier in the field. For more information contact: Security Designers Ltd, 5 Wharfe Mews, Cliffe Terrace, Wetherby, Leeds, West Yorkshire LS22 6LX. Tel: +44 (0) 1937 584 584; Fax: +44 (0) 1937 587 367; Email: info@SecurityDesigners.com; Website: www.SecurityDesigners.com