Security – Why should you care?

November 1, 2003

Companies big or small, in any industry, providing any product or service are at risk of security breaches. If they use computers at all then they are exposed. The threat varies from someone defacing your Web site, to email-borne viruses, hackers accessing your systems, or even users losing their laptops. But the threat is real.

Not only are there external threats from people outside your organisation, what about disgruntled employees? And your IT staff, can you guarantee that they won’t make a mistake when in ‘admin mode’ on your network, which could enable users to access the wrong information? Especially for legal firms where information is their life-blood, confidentiality is paramount. Companies need to consider all these different types of risks before implementing security.

What does it all mean?
The way an organisation works on a daily basis will help to highlight areas of vulnerability. If the organisation provides its users with laptops, they must be able to secure the information stored on them; if confidential files are being e-mailed, those files must be encrypted, if some files on the network are extremely confidential, the company must restrict to access them, and should consider implementing stronger authentication than username and password. Companies must stand back and take a long hard look at how they work and implement a security system that will fit their needs – simply having a firewall and anti-virus software is not enough.

Security breaches affect organisations in many different ways. Other than the obvious potential loss of information or system downtime, they may have to face embarrassment if security breaches are made public. They also risk their reputation and, if the data lost is personal, they risk being sued by customers under the Data Protection Act. In addition, non-disclosure agreements and the like make firms legally responsible for confidentiality. Firms in the legal industry, for example, risk Law Society involvement if they fail to maintain client confidentiality.

Make or break
Lawyers, solicitors and other legal firms are especially sensitive to loss of information, because the vast majority of information is absolutely confidential, more so than for most other organisations. Information held by law firms needs to be absolutely private, and it could cause havoc for the client if that information fell into the wrong hands.

Legal firms are not renowned for their use of cutting edge IT. Whereas industries such as retail and banking have moved a vast number of services online, the legal industry still relies a great deal on traditional forms of communication and dealing.

What is the answer?
Firms must take the first steps on the road to being able to benefit fully from IT as a business enabler. They need to look at how they can make their current systems as secure as possible, so that they can keep pace with technological advances in the industry and know they are building on a sound, secure infrastructure.

They need to look at encryption – of e-mails that are being sent out, of data stored on vulnerable laptops, and even of highly confidential data stored on the servers. So even if someone can access your systems, they can’t do anything with the information they access.

Firms also need to look at how they manage access to their systems – one of the easiest tools used by hackers is ‘social engineering’ where they convince a legitimate user to give out their username and password. This enables them to access the system with minimal effort. In addition, the number of users that rely on post-it notes on their monitor to keep track of passwords highlights that often username and password simply does not provide enough security. It may well be appropriate to consider user authentication based on biometrics such as fingerprints.

Security does not have to be a maze of tools and procedures. It is possible to implement security that is almost invisible to the user, and does not impact their jobs, but at the same time ensures that your private business critical information remains just that, private. Firms need to educate their users and ensure that everyone realises the importance of security. Then you can sit back in the knowledge that it won’t be you gracing the headlines when it all goes wrong.

Hints and tips

1. Be realistic about your threats – kidding yourself that you are invulnerable won’t work.

2. Spend the time and money to get security right first time.

3. Include your users in the decision process – they are more likely to stick to guidelines if their needs have been considered.

4. Educate users about the importance of security – make it their responsibility, and make them understand how it affects them.

5. Choose systems that are ‘transparent’ to the user where possible – if it doesn’t make their job harder, they are more likely to agree.

6. Configure and manage systems correctly – they are worse than useless if they are in place but set up incorrectly.

7. Don’t just look outside your organisation for your threats; the majority of security breaches come from within the organisation, be it accidental or malicious.

8. Acknowledge that laptops and PDAs are more vulnerable because they can more easily be lost or stolen, and ensure they are secured completely.

Jackie Groves is UK managing director of Ultimaco Safeware.