One only has to mention the name Enron to describe the first. The seriousness of the issue is indicated by the extent to which government has acted to prevent such scandals occurring in the future. Apart from the reform of existing company laws, the UK, for example, initiated the Higgs review of the role of non-executive directors. And the US has gone further than most, no doubt since the Enron scandal took place on its doorstep: Sarbanes-Oxley is the toughest regulatory intervention since the 1930s.
The boardroom has become a much more accountable place; transparency and meritocracy are the order of the day. Newly introduced principles and guidelines are encouraging directors to take direct responsibility for corporate data. Auditors are being empowered and their independence reinforced.
When it comes to Information Security, a series of increasingly alarming online threats have moved the issue from being the preserve of the IT department alone right up to the level of the board. Viruses, spam, spyware, phishing and hacks constitute a massive group of 'inbound' concerns, all of which have the potential to impact negatively on the bottom line.
Remote internet access and the proliferation of wireless devices are changing the way we look at Information Security. Allied to this is the question of outbound threats. Research from different sources shows that around 80 percent of outbound breaches, or confidential data loss, originates within the organization and are carried out by an employee. They may be malign but are more commonly a result of human error – hitting the 'send' button on an email by mistake, for example. A recent survey ranked confidential information leakage as the major content issue facing corporations, after spam.
All in all, the Department of Trade and Industry's 2004 Information Security Breaches Survey puts the price of these threats at several billion pounds: the average cost of an incident is £120,000, though the risk is also that a single event might have calamitous consequences. Hence the reason that security is a concern that the board must address. It is a question of governance because maintaining control of security has a direct bearing upon shareholder confidence, brand value and the bottom line.
Many companies have adopted a head-in-the-sand approach, treating network traffic as a 'no go' area for fear of what might be revealed, but this is no longer a viable option and is likely to offer no defence in a court of law. In fact making a conscious decision to 'do nothing' to protect company resources, including employees, is a very dangerous strategy in the current climate.
Security needs to be thought of as an operational risk. The first step towards successful security management is identifying the risk and then controlling and mitigating it. Technology plays a key part in this process but senior management must be in charge of the process; governance is required to provide and implement the business-wide view.
And hence, thirdly, governance is a matter of business strategy. The threats are not trivial. Governance must be built into the overall strategic framework of the business since an error of governance might even lead to the failure of the business. Moreover, the regulatory responses to Enron and the like are aimed at nothing less than a change of culture.
A prime example of the links between strategy and security is the attitude that businesses display towards mobile working. The practice has become increasingly popular over recent years because of the greater degree of flexibility that it offers to the extent that many organizations now advocate mobile working to a significant proportion of their workforce. However, businesses that encourage the practice are not doing enough to protect themselves against the additional threats that mobile working can present.
Worryingly, my company's own research recently found that 60 percent of UK businesses have no plans to implement content filtering for mobile workers. Of greater concern still is the fact that only 20 percent consider the risk sufficiently important to warrant the immediate implementation of content filtering when introducing the practice to the organization. However, security is the backbone of governance and, as such, evolving operational issues like the adoption of mobile working must be incorporated into strategies in a timely manner.
Even where organizations have made the link between security and governance, in many cases it is through a feeling of pressure. In order to adopt and run an effective approach, businesses can adopt an ongoing, three-tiered approach to security based around the principles of policies, education and technology.
Policy - Clearly outline what the company resources can and cannot be used for. Update the existing Acceptable Usage Policy (AUP) to ensure that operational changes, such as mobile working, are covered as they become relevant to the business.
Education - train employees to understand the potential threats posed to both themselves and the wider organization. Clarify the appropriate behaviour that can be used to avoid such instances from occurring and how to deal with them when they do.
Technology - ensure that the appropriate technology is used to enforce the terms and conditions of the AUP and act as a safety net against policy breaches.
In isolation, none of the above measures alone are enough to solve the problem but by integrating them together any organization will ensure that risk is mitigated to the greatest possible extent.
Corporate governance is no longer to be thought of as an extra – a hurdle to leap at the end of the financial year (or when the inspector calls). Good corporate governance needs to become an ingrained process, supported by both policies and Information Security. In order not to just pay lip service, it's advised to consider governance and compliance issues in line with the refinement of frameworks and in terms of the implementation of best practice, of which policy development, educational programmes and technology implementation are all key components. In short, governance requires a change of attitude and must be built into the strategy of the business as a whole.
SurfControl are exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk
The author is President EMEA & APAC, SurfControl