Harry Archer, principal security consultant and head of security practice for BT Australia relocated to Sydney from London recently bringing with him 25 years of IT security experience including time with the UK Government and the European Central Bank amongst others. Here's what he had to say about Australia's security landscape:
What are you most concerned about?
“Infiltration of networks with Trojans is something that is quite a serious issue which is underrated in Australia. It’s a great concern and I think it’s probably the thing we should worry about the most.
Who's the target?
“[The target is] the end device which is just not being looked after. [For example] businesses are allowing personal PCs to be connected to corporate networks.
"It’s a matter of how much a laptop is worth and whether I can pinch it and sell it on the streets in Sydney? It’s that sort of business."
How are Trojans reaching end-users?
“Trojans are going in by mail and Web. It seems to me mail is the predominant way but Web is obviously the opportunity as well. Mail is more anonymous, it’s easier to send, can be targeted and sent to specific individuals. That’s exactly what is happening, targeted Trojans.”
What's the general view from business?
“I suppose I’ve asked a number of people since I’ve been here about end-user vulnerabilities, and [managers] say, no, it’s not an issue and that surprises me. You can ask Canberra, you can ask the major banks, how many laptops a year do they lose?
“[Businesses] have not been encrypting data at rest on the PC and that’s a terrible issue. Encryption software proved unreliable and people thought, I’d rather have my data stolen than lose the data. As soon as you get more laptops you’ll have more data loss.
“How are you going to get the CEOs to pay for [encryption]? No one’s going to pay the money for security because how many instances have we had, why do we need it?”
So, the problem boils down to policy and governance?
“Since the time I’ve been here, I’ve done an audit on a commercial institution which had its computer room in an office. If the sprinklers in the office are triggered the entire server room will be destroyed. That’s the sort of thing I’ve seen since I’ve been here. That is not a good place to be in.
“Security governance is not being done, if it was, then who ever is running the system in that business would be fired. From governance comes the risk analysis, the policy production and then against the policy production you’re getting compliance.
Why aren’t companies assessing risk?
“The problem actually starts at the top. It’s with management, the security governance is not being put in and because of that the networks are not being monitored properly.
"So they don’t have a security manager, no one’s looking after security and they get hit. There’s also a lack of skills. People don’t understand things like ISO 27001, and the move from ISO7799 to 17799 to 27001 was so quick people are [confused].
“The argument is, it’s just pushing paper, but it’s not, because behind that policy is risk analysis. Once you’ve done it you know what your risks are and that’s what’s wrong."
How should businesses tackle this problem?
“Security professionals should undergo an accreditation, so they have a responsibility to report but Australia doesn’t have one. I could set myself up as a security consultant tomorrow here, there’s nothing that says I can’t do it.
“Some commercial organisations are asking for accredited people because a lot of the people that work in the UK are ex-services and they know how the security works in government. They know what the accreditation means.
Is physical security up to scratch?
“Data centres that are in the city are not a good idea. From my point of view it’s not acceptable to have traditional offices being converted into data centres.
“You need to have custom built centres, with no windows strong walls, concrete based, generators with 30 day supply, massive UPS systems so if there are disruptions on the grid you can carry on running.
“Businesses need to start thinking about virtualisation. If you build these new massive centres outside of a city and put virtual servers I think that’s the direction.
Q&A: Harry Archer, head of Security Practice, BT Australia
By Negar Salek on Jul 14, 2008 12:29PM