Security woes have struck both corporations and the government in recent months. IT audits conducted in Victoria and the Northern Territory cited problems with disaster planning, business continuity and the use of passwords. In April 2003, Internet banking scams hit Australia. How can your organisation protect its data from these ever-increasing security threats?
It takes more than a firewall and a couple of passwords to protect data. The problems identified in the government IT audits related to the internal processes associated with organisational security. They included out-of-date or absent disaster recovery plans, failure to store back-up media off-site, lack of backup system testing, the use of obvious passwords and passwords shared among staff.
The financial examples involved external malicious intent. In one incident, Commonwealth Bank customers were sent an official-looking email that stated it was from commonwealthbank.com, requesting passwords and membership numbers. A scam was also attempted to replicate Westpac and AMP Internet sites.
How well guarded is your perimeter?
No matter how much technology you apply to the problem of security, if your employees don’t support the initiative, your system will never be secure. Security practices need to be ingrained in your culture. They need to be owned and governed and represent a living, continuous security environment. If employees are not trained in security policies and practices, they cannot and will not act accordingly, making your systems vulnerable. If they don’t truly understand what’s at stake, or see a valid reason for compliance (e.g. dismissal) they may view those who institute and enforce security policies as nuisances and seek to circumvent procedures.
According to American Computer Security Institute statistics, an external attack is likely to cost you on average USD$57,000 (AUD$86,000) whereas an internal attack averages USD$2.7million (AUD$4 million). Every organisation requires a three-tier approach to security:
- Administrative security, capturing required behaviours in procedures and policies
- Physical security, the right blocks, barriers and trained people to physically make the environment secure
- Technical security, IT systems that assist in creating a regulatory environment.
Ensure IT governance models clarify security procedures in your organisation. Reference security best practices to ensure that your organisation is in-step with others in your industry. Importantly, don't put a system in place and think it will take care of itself. Ensure representatives across the business enforce the secure environment, audit and drill employees regularly on their responsibilities.
From the top levels of management on down the line, security needs to be a corporate objective. All employees need to be made aware that security is everyone’s responsibility and that executive management backs the initiative.
References
Mills, Kelly and Jenkins, Chris, 2003, Victoria, NT chastised over security, News Limited
Moore, Tanya, 2003, Net scams target banks, News Limited
Staff Writer, 2001, Security assessment: The first step in managing network risk, NEC Business Network Solutions, Inc.
Oltsik, Jon, 2003, Avoiding the security trap, CNET Networks, Inc.
Need help? Contact iFocus.