The speed with which new technology is being implemented means that some companies are unaware of areas of vulnerability within their IT systems.
External threats in the form of hackers and new viruses are well publicized in the media. Hackers operate in small, loose-knit groups, making them very hard to track down. They have the ability to hack into systems, committing industrial espionage, terrorist activities or politically motivated attacks. New viruses appear almost on a daily basis, and some of the more virile ones, such as Bugbear and Fizzer, can wreak havoc on unprotected IT systems.
The consequences of such an attack may include loss of valuable customer data and loss of public confidence, not to mention leaving companies wide open to prosecution under the Data Protection Act if private data, such as credit cards details, is exposed. It's not easy to put a value on these intangible losses, but these days data is often perceived to be of higher value than physical assets. It's worth noting that many companies hush up these sorts of attacks – perhaps due to the effect that publicity can have on consumer confidence – however, it is imperative that attacks are reported to the appropriate authorities so that investigations and forensic analysis can be carried out. Only then can the perpetrators be brought to justice.
The threat from within
However, internal risks are often overlooked because IT directors think 'it won't happen to me.' Human nature causes us to trust our colleagues implicitly, yet 60 percent of all reported crimes are insider jobs. There is also an element of embarrassment associated with this type of attack. Nobody wants to admit that they employed someone who was not quite what they seemed – just ask the Woodhill Prison authorities in the U.K. who took on a tabloid journalist as a warden! Motivation for this type of attack can be varied – disgruntled employees (or ex-employees), those spurred on by financial gain or even people secretly working for competitor organizations.
Internal risks can also be exposed accidentally through technical error. As complex networks and systems become the norm, design errors and misconfigurations become increasingly likely. Systems upgrades do not automatically lead to an update of the security policy, so vulnerabilities can appear. Similarly, whilst systems maintenance takes place – inevitably needed to support more complex networks – points of failure may be revealed. Remote and wireless access may also open up a number of back doors that security experts need to shut.
Disasters such as floods, fires and terrorist attacks, or even a leaky air conditioning unit in the communications room can also allow security breaches to occur if systems are not reinstalled properly.
In order to combat external and internal threats, it is a good idea to develop a comprehensive business continuity plan in case of attack. That way, everyone will know exactly what to do to get the business back up and running again. The starting block for this should be a risk assessment which aims to improve the resilience of a business before a security breach occurs.
The risk assessment identifies potential security vulnerabilities and potential sources of interruption or disaster, which will vary from business to business. These threats include hacking, systems failure and physical disaster. An organization is then advised to put in place measures to improve its 'risk profile' using tools such as firewalls, anti-virus software, systems and environmental monitoring software, emergency power supplies and physical security. Eliminating single points of failure in telecoms supply, for example, can be achieved by using a backup ISDN line in case a leased line is cut off for any reason.
In order to combat security risks caused by staff, simple policies should be written and backed up by more detailed procedures. The IT department should work with the human resources department in order to develop and enforce these policies and procedures.
By reducing possible risks, the likelihood of something happening in the first place is decreased. However, there will always be a "rump" of risks that remain, and it is important to have contingency plans in place for the day when one of those risks manifests itself and results in a serious incident. A business impact analysis identifies which functions are mission-critical and the business continuity plan seeks to recover those first. For a retail company trading only online, its web server is a vital piece of kit. For an international bank, the trading room is crucial.
A business is open to all kinds of risks, some of which cannot be eliminated. It is therefore essential that a business continuity plan is written, tested and revised regularly to ensure that the company is back up and running as soon as possible in the event of a security breach or interruption.
Keith Tilley is UK managing director at SunGard Availability Services