Firms in the dark about the risks from hackers
IT IS often said - and quite rightly - that IT security is at least as much about acquiring the right culture or mindset as it is about implementing this or that technology.
There are so many layers to security, from basic things, such as the way people behave, to complex technical aspects such as implementing firewall rules, or knowing how to respond to alerts from intrusion detection logs. Getting all the pieces in place and keeping them in order is something that takes both vigilance and skill. Get it wrong and your whole business could be at risk.
Rory Innes, marketing manager at Edinburgh-based security consultancy DNS, says organisations tend to do best as on IT security when they deliberately set out to forge a clear policy. "There is an ISO standard, ISO 27001, that focuses on IT security and is a great starting point for any organisation," he says.
Innes points out that a number of Scotland's public sector organisations in the last few years have adopted ISO 27001 and have benefited greatly as a result. Now the practice is spreading to private sector companies as well.
Implementing ISO 27001 can be done with an in-house team if the organisation has sufficiently experienced IT staff. However, for most of Scotland's small to medium-sized companies (SMEs), this is not an option. They will need to use the services of a company such as DNS to help them analyse their existing IT security policies and processes and to do a gap analysis, identifying what is missing and what needs to be done to bring the organisation up to best practice.
The cost of not taking proper steps to secure the organisation's IT can be staggeringly high, he warns. "The Department of Trade and Industry released a report on the damages caused by security breaches. They found that the average breach costs the company involved around 40,000, but the cost tends to be proportionately larger for bigger organisations."
According to Innes, demand from (SMEs) for managed security services has shot up over the last few years. "We ourselves have seen a massive uptake in managed services," he says.
The reasons for this are obvious. Not only is IT security a complex and technical issue, hack attacks are most definitely not limited to working hours. "You can't do a nine-to-five on this. Hack attacks come from around the world and when you're leaving the office many of the hackers are just starting work," Innes notes.
One of the biggest weaknesses in many organisations' approach to IT security is that they put the right systems in place, including intrusion detection systems which tell them if any unauthorised person has gained access to their system, but they fail to act on the warnings. "An intrusion detection system will monitor your operation and it will attempt to block intruders and flag up alerts, but if no one in the organisation is reading the log, no one will see the alerts," he says.
All too often, the technology whirrs away in the background, doing its job, but it takes human skill to analyse what is happening and to make a proper evaluation of the risk posed by the threat. This again, speaks to the need for a managed service that can respond round the clock.
"A big theme in security these days is controlled access," he says. This means regulating not just access to the system in general, as with a log-on username and a password, but controlling who can carry out what functions and who can access which parts of the system.
In Innes's opinion, Scottish firms have been relatively good over the last few years in recognising the importance of IT security and in being prepared to budget for it. "In my view, Scotland is quite far ahead, as far as the UK as a whole is concerned. Public sector organisations in Scotland in particular are well ahead of England and Wales as far as leadership thinking in IT security is concerned," he comments.
One technology that looks likely to help all kinds of users, including individual PC and notebook users at home, achieve better IT security is the move to "multi-core" processors. Both the major PC chip manufacturers, Intel and AMD, now have multi-core processors on the market. In effect, multi-core puts two or four "core" processors on the same chip. There are huge benefits to this for users in terms of increased power, since each processor can work independently of the others. Increasingly, for example, people want to do multiple tasks simultaneously on their PC. They may be using it to play music while they surf the internet, or to check on e-mail while they analyse a spreadsheet.
Where multi-core processing becomes important from a security perspective is that it means that one or more processors can run security programmes at the same time as the user carries on with other tasks. It means that, in future, security software will be able to carry out very elaborate security monitoring and checking in real time while the user carries on with normal tasks. The system will be able to do this with no detrimental effect computer performance because a "spare" processor in the multi-core system is handling security. In a single processor system, security tasks have to be shared with other tasks and this can result in a marked drop in normal performance, from the user's perspective, when the security programme is running.
One of the challenges facing companies when it comes to designing a security policy is working out exactly where the real value of the business lies. Is it the e-commerce website? Is it the databases that drive the website? Often the answer will be both, and different levels of protection will apply to each.
Paul Davie, chief executive of Secerno, which specialises in database security, argues that for the majority of firms, databases are where the real value of the business lies. And when it comes to databases, disgruntled or dishonest staff can be at least as much of a threat as external hackers.
"A couple of years ago, companies tended to be a bit complacent. That has changed and there is a growing awareness among the public and the private sectors of the risk to the organisation," Davie says. Breaches of data security are now mainstream news and incidents such as the TK Maxx breach made national headlines, he says. "Just before Christmas, the Scottish police put out a warning saying that one in ten call centres have probably been infiltrated by gangs looking to perpetrate identity theft," he notes. Loss of data threatens a risk to organisations' reputations and significant financial loss.
Moreover, it is not always clear that an organisation has had its database compromised. The really worrying thing for organisations, Davie points out, is that unlike, for example, when hackers crash a website by overloading it with meaningless traffic, an organisation's database can be copied without anyone knowing. If the right technology is not in place to note and block the copy attempt, the organisation will not realise it has been hacked.
Perhaps even more dangerous is where the hacker, or malicious unauthorised staff member, makes changes to the database without the organisation being any the wiser. The only way to achieve certainty that this kind of thing is not happening is to put a secure, special purpose detection system in front of the database. Secerno uses software from Oxford University that learns the normal patterns of usage involving an organisation's database and can then rapidly identify and alert companies to abnormal usage.
"The only thing our system lets into the database are normal users acting normally, within the bounds of their job function. You can't hack in from outside because that would immediately look like abnormal use, and you can't copy a subset or all of the database as an employee if you do not normally carry out such copying. That too is abnormal use," he says.
Email to a friend
Print this page- David Cameron is playing into the SNP’s hands, says Michael Forsyth
- Rangers administration: European hopes in doubt as wait goes on for tax tribunal result
- Brian Monteith: Positive push to keep Scotland in the union
- Rangers administration: Calls grow for finance inquiry
- Scottish independence: No vote for under 18s, says Michael Moore
- David Cameron is playing into the SNP’s hands, says Michael Forsyth
- Scottish independence: Ruth Davidson points to welfare
- Scottish independence: SNP’s plans ‘in a state of flux’, Willie Rennie claims
- First Minister accused of snubbing devolved nations
- ‘Troubled times’ for shops as customers fall
Looking for...
Featured advertisers
Jobs
Search for a job
Motors
Search for a car
Property
Search for a house
Weather for Edinburgh
Monday 20 February 2012
Today
Light rain
Temperature: 7 C to 9 C
Wind Speed: 25 mph
Wind direction: South west
Tomorrow
Cloudy
Temperature: 9 C to 12 C
Wind Speed: 21 mph
Wind direction: South west
