Articles

10 key points for directors regarding IT security

By Glyn Geoghegan, September 9th, 2002.

1. Protecting Corporate Assets - The clearest reason IT security is of importance to the board is that of protecting the electronic assets - be they the IT infrastructure or the data contained within. Downtime in core systems, damage to or theft of data or even problems with desktop PCs all affect the flow of business costing time and money. The Turnball Report on Corporate Governance states that 'The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets'; proper controls relating to the IT assets are implicit in this..
   
   
2. Data Protection Liability - In its 7th Principle, the Data Protection Act (1998) requires that 'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'. The ultimate responsibility falls to the data controller and the board, and should an individual suffer damage through its contravention compensation claims are likely.
   
   
3. Brand Damage - Much of the financial loss attributable to IT security breaches is associated with brand damage and loss of customer or partner confidence. Many recent security scares relating to the Internet offerings of large established concerns have revolved around relatively small technical issues with low real impact. The reduction in confidence and perception of the security of those organisations as inadequate, however, has a less tangible but more damaging long-term effect.
   
   
4. Secondary Liability - Aside from the risks to your systems and business, there is the associated threat stemming from attacks on third parties. Should your systems be compromised it is highly likely they will be used in chained attacks on third parties. These attacks expose you to liability for not taking adequate precautions to protect yourself and therefore others. Should those third parties suffer quantifiable financial losses, it is highly likely the cost will fall at least in part to you - especially if the attacker remains untraceable.
   
   
5. Illegal or Immoral Materials - Directors should also consider the risks associated with illegal, immoral or confidential materials. Frequently, compromised systems will be used to store and distribute contraband software, pornography and other illegal data. Through a lack of due-diligence the directors can, and often are, held responsible and liable for such material. Furthermore, inadequate security addressing communications could expose the organisation as internal parties (be they staff, contractors or even visitors) leak confidential or commercially sensitive information to competitors.
   
   
6. Security is just another expense - It is of course true that implementing effective and comprehensive security policies during the design, development and ongoing support of IT systems has an associated cost. In order to protect the organisation and provide the necessary assurance to clients, investors and partners alike, this cost must be accepted and considered alongside the more traditional business and technical expenses. By establishing and considering security as early in the process as possible, the final cost can be greatly reduced. It is far cheaper to design and build security into the processes and systems than to try and retrofit it at a later stage.
   
   
7. We're of no interest to a hacker - It is a common misnomer that attacks on electronic systems are all targeted or planned and that the company doesn't have a profile of interest to an attacker. This is not true - the DTI Information Security Breaches Report 2002 states that 78% of UK businesses have suffered security incidents in the past year. Many electronic incursions are opportunist or automated attacks. Worms such as Code Red and Nimda propagate in a semi-random manner, attacking the next Internet address in sequence or contacts from the address book. Script Kiddies download ready-to-run exploits and fire them at thousands or even millions of systems while they sleep or idle at school. If you have an unsecured system it is merely a matter of time before an attacker chances across it. Consider an unlocked car in the multi-storey shopping centre - the opportunist will try as many door handles as he can before rifling through your unlocked vehicle.
   
   
8. We don't offer any Internet services - Another misconception is that if the organisation doesn't have, or host, any services locally, then there is no threat. Whilst there has been a rise in external attacks, the DTI reports that 34% of the most serious breaches are still from the inside. Furthermore, whilst the web-site may be hosted by a third party it is still the corporate brand at stake, and services such as e-mail will inevitably be locally held.
   
   
9. Security is a block to business, not an enabler - Poorly implemented security controls can indeed be obstructive to business operations. Through a properly designed and implemented model, however, the smooth flow of operations can be maintained. This will then be with the added assurance that those clients and partners are operating within the expected and permitted parameters, and are not exposing the organisation to added risk.
   
   
10. We're already secure, we have a firewall and Anti-Virus! - IT Security is constantly evolving, with new threats appearing daily. Some of these are product specific, others to do with the architecture or the way in which modern business is conducted. It is vital, as with all business practice, that IT security strategies and solutions are constantly reviewed, tested and improved upon. Education is also paramount; increasing awareness in users, managers and technical staff will help ensure that the integrity of the IT systems - and therefore the business - is maintained.