Despite the huge sums of money spent on network security, organisations appear incapable of protecting confidential data. A change of approach is required, argues Gordon Rapkin

We need to move past the model of network perimeters

Businesses spend billions every year to secure computer networks and digital data. So why do serious security breaches continue to happen? Every week seems to bring news of a new incident:

The loss of two HMRC CDs containing personal, social security and financial details of 25 million people on the child benefit database

The hard drive containing medical records that was purchased on eBay

The laptop stolen after being left in a car overnight which belonged to a Royal Navy officer and contained the personal details of 600,000 people interested in joining the armed forces and bank records of at least 3,500 people.

M&S, who lost 26,000 unencrypted employees’ pension details after a laptop was stolen.

These are just a few of the recent, high profile breaches. Even more disturbing, the Information Commissioner’s Office has said, according to a report on ZDNet, that the seemingly sudden spike in data breaches in the past few months is not due to more data losses occurring, but to an increase in businesses and agencies publicly acknowledging such losses. Breaches will continue to occur until we rethink old-fashioned ideas about security.

Multi-layered defence

Many businesses who suffer a serious security violation have deployed protective systems in a patchwork approach, with heavy emphasis on protecting the network from outside attacks. We need to move beyond the model of network perimeters, an idea that obviously has not worked, and focus our attention on creating a holistic multi-layered defence system which includes people, policies and procedures, and a corporate culture centred on security.

The time to address the problem is now. Cyber crime is getting uglier and far more prevalent. The Computing Technology Industry Association’s recent study in the USA on data security breaches found that among companies that reported a security breach in the last year the average severity level of the incident was ranked 4.8 on a scale of 0 to 10. In 2006, the average severity level was 2.3.

The bottom line is that we cannot rely on applications to do all the work for us. You cannot throw money at the problem and hope it will go away. Smart policies, procedures and people are just as important as choosing the right security solution.

Creating a culture of security

Too many businesses have made security solely an IT problem. To be effective, security has to be everyone’s problem, and the processes that support real security need to be embraced by everyone from the summer student to the CEO. Until businesses focus on creating a culture of security and until employees understand exactly how and why to protect networks and digital assets, systems and data will be far too vulnerable to attack.

Consider these statistics:

n According to a survey of 1,311 companies by Infosecurity Europe, on behalf of the Information Security Awareness Forum, the single greatest security weakness in 79% of organisations is lack of awareness. People either do not know about the corporation’s security policies, or do know and ignore them.

n A recent study released by the IT Policy Compliance Group indicated that human error is the overwhelming cause of sensitive data loss, contributing to 75%of all occurrences, while malicious hacking activity amounted to just 20%.

n In the Deloitte Touche Tohmatsu 2007 Global Security Survey, which included many of the top financial services firms, 79% of those polled also said that human error was the cause of information security failures. Yet 22% of respondents said they had provided no employee security training over the past year and only 30% believed their staff had sufficient understanding of security issues.

The most important and effective security project that a company can undertake is the creation of a corporate culture that is centred on security. Security consciousness needs to be hard wired into our policies and procedures and embedded into everything we do.

When companies have an embedded culture, everything that people in that company do naturally reflects that culture. Some companies pride themselves on innovation, customer service, or the quality of the products they offer. All businesses now need to move towards taking pride in the security of their network and data and become truly proactive about security, rather than worrying about it only after their customers’ personal information has been exposed to criminals.

Policies and procedures need to be implemented and clearly communicated to keep people from mindlessly doing dangerous things with, and to, sensitive data. But simply devising policies is not enough. Security measures that are not understood and fully embraced across the enterprise can, and will be, circumvented.

Staff training

When people understand the value of security, as well as how to protect data, their entire approach and outlook changes. One of the most positive steps an enterprise can make is to institute ongoing security awareness training for employees.

Ensure that all employees understand how to identify confidential information, the importance of protecting data, how to choose and protect passwords, acceptable use of system resources, e-mail, the company’s security policies and procedures, and how to spot scams. New employees should be required to complete a security orientation before they are given access to the network.

Security training should not be generic, but should instead be targeted to an employee’s role, with refresher courses bi-annually or more frequently, depending on the person’s role and access to sensitive data. Employees can be alerted to new threats by way of a monthly newsletter, from IT.

Reporting incidents

Every organisation should also have an incident response and reporting policy. This enables employees and executives to quickly determine the severity of an incident and the inherent risk .

The policy needs to state who the incident, or an employee’s concerns, should be reported to and how it should be resolved. Your security policy should also detail how an employee should report requests for information and other incidents that they feel are suspicious – this information should be noted and tracked. Never make an employee feel silly for reporting anything he or she finds suspicious. The easiest way round this is often to set up an email address that employees can use to report potential problems.

After a security incident has been resolved, the organisation should review their policy to determine if changes need to be made. How did the incident occur? Was it resolved successfully? Implement the necessary changes and move on.

Enforcement and involvement

Policies and procedures should be enforced by technology controls, such as role-based access, database encryption and auditing tools to ensure that everyone is following the rules and to protect data from misuse or exposure, even if the rules are broken.

By making these issues a matter of policy, an employee can deny requests without feeling that they are being unhelpful, or could get into trouble with management. Automated enforcement and monitoring of policies takes the onus off employees – they no longer need to make judgment calls, nor can they be pressured, bullied or coerced into responding to requests for data that could provide an attacker with a key to company systems.

Bear in mind that it is quite possible to develop policies that are so rigid that employees resent them and actively look for ways to thwart them. It is best to develop policies together with representatives from throughout the company. Each of your employees is a stakeholder in security and should feel as if he or she is a valued participant in protecting company data, not a mistrusted child who is being watched every moment of the day.

What you need to secure

Tracking data as it moves across a network is often far from a straightforward task. It is likely that an audit of many networks would reveal sensitive personal data tucked away in places that you would never expect to find it, stored unprotected in applications and databases across the network.

A critical first step in any data security project is to conduct a full audit of the entire system and identify all the points and places where sensitive data is processed, transmitted and stored. Data flows through a company and into and out of numerous applications and systems. It is precisely this flow that needs to be the focus of a holistic approach. Look at data flow as a municipal transit system – the system is not just about the station platforms, the tracks and the switches are just as critical. Many companies approach security as if they are trying to secure the station platforms, but lose sight of the importance of securing the flow of information.

Additionally all systems should be monitored for malicious activity and swept for malware and other potentially dangerous software on a regular basis.

Protect beyond the perimeter

As businesses and agencies continue to move services onto the web, it is critical to extend protection past the internal network perimeter – the classic focus of all security efforts – and protect all public-facing applications which act as a conduit to the internal network and stored date. Websites and web-enabled applications, particularly those that collect data or allow access to internal databases, must be very carefully reviewed and thoroughly tested – preferably by an outside expert – to help ensure that no exploitable security flaws exist.

Then, to protect against brand new vulnerabilities, deploy a web application firewall to ward off threats and control any abnormal activity that can overwhelm an application or server operating system and open it up to an attack. Properly defended web applications allow outside users to access internal applications and selected segments of databases, enabling effective communication and service offerings, while ensuring that both users and owners are protected from criminal attacks.

Some of the companies polled by the IT Policy Compliance Group were not regularly losing data. They all had one thing in common: they used multiple methods – user training, strengthened security policies and compliance screening, threat monitoring and targeted application protections, network and user access controls, encryption and system auditing – to protect against data loss. You should do the same.