There are countless surveys and statistics about IT security, the risks, the threats and things we should be worrying about, and the only thing they seem to agree upon is that the threat to business is growing.
The primary reason for this is the information stored on IT systems, which is ever more critical to an organization. Not only that, but the IT infrastructure itself is vital - without the email systems, web sites and CRM products that companies rely upon on a daily basis to conduct business, they simply wouldn't exist.
But as companies do rely more and more on their IT systems and information, they are more and more vulnerable to security breaches that compromise these systems, which can have a knock-on affect across the entire organization.
Where is the weakest link?
So where is your biggest risk to security? Well, a lot of that depends on your company, and each company should assess its situation to establish where it is vulnerable.
For big multinationals the risks are twofold - both external and internal. Hackers may have either a personal agenda or may be systematically accessing the system for corporate gain. This could be a competitor accessing your customer list or R&D files, someone trying to steal money or credit card information, or even political or other groups trying to deface your web site for other reasons. This threat, though potentially serious, is less prevalent than the internal threat.
In larger organizations, the number of temporary staff entering the building (contractors, consultants, etc.) makes the security risks inherently greater. Add this to the threat of deliberate abuse from disgruntled employees, and the need for watertight security is not only recommended but essential.
For smaller, less well-known organizations the primary risks may lie with existing, internal staff. The organization may not be able to invest as much as would be ideal in IT staff, or it may not have a rigid enough IT infrastructure in place, so inexperienced administrators can inadvertently make changes to network configuration that leave the organization vulnerable.
Whether the source is internal or external, accidental or deliberate, the results of unwanted changes to vital systems remain the same - costly downtime, damaged reputation and compromised private data.
Of all the possible outcomes that security breaches can have for an organization, the loss or compromising of customer information, particularly private or confidential data, has the most serious implications. Not only can customers lose faith in an organization but companies can risk breaching legislation (such as the U.K.'s Data Protection Act) if information is not secured.
Businesses have a legal responsibility to their customers, employees and partners to ensure that personal data remains confidential. As soon as identifiable personal data is stored by an organization, it is that organization's responsibility to ensure that the information is kept safe. Not only that, but the company also needs to be able to access data relating to any individual on demand, be it order history, salary details or credit card information. If they can't, then in the U.K. they are again in breach of the Data Protection Act and leave themselves open to prosecution.
Control equals security
Companies need to know that they have absolute control of everything that happens on their network and can tell immediately if anyone has changed settings or configuration files to allow access to restricted areas. At any given time, the IT manager must be able to say with absolute confidence that nobody has accessed the systems.
Core security solutions, such as firewalls and anti-virus have their place, but new risks warrant stronger security. Organizations need to take a proactive approach to security. It is no good realizing after the event that an attack has taken place and that information or systems have been compromised. It is already too late if all your customer's credit card details have been stolen - you'll simply be shutting the door after the horse has bolted.
Another potential area of risk is system changes that are made by authorized staff in an authorized process. System administrators, with access to all parts of the system, can theoretically make any changes they like to configuration files, without any control mechanisms in place to ensure that the changes that have been made are correct - how easy is it to simply make a typing mistake? And that doesn't even begin to address administrators who deliberately make unauthorized changes. If the Check Point administrator for example makes a change as requested under change control, but also adds a change of his own, who is going to know?
Know your baseline
The real business issue is change control; companies need to know what is happening on their system at all times. This problem is exacerbated by the fact that many system changes will be made by authorized individuals. It is one thing trying to stop hackers or other malicious attacks, but managing the changes that internal staff make can be a nightmare.
The main problem companies have is that they don't know what state their systems should actually be in, so even though they have state-of-the-art firewalls and intrusion detection software, they aren't in a position to know where they should be starting from. It is impossible to track changes to systems when companies don't even know what their baseline set-up should be. They need to measure this baseline, and use it as a foundation for the management of all changes.
One way to immediately identify if any changes have been made to your network that could result in security breaches such as loss of data is by taking regular snapshots of system configuration. This way you can you immediately detect changes, regardless of where they originate, and quickly return to business as usual.
Another benefit of this set-up is that should any problems actually occur, the IT department will be able to immediately identify where on the system the problem lies. They can then shut it down without having to bring down the entire network while the cause of the problem is identified, which can be a very time-consuming and expensive process.
Proactive problem solving
It is time that companies take a grown-up approach to security by addressing problems before they happen. Every company is at risk of security breaches, and when you are managing sensitive customer information you have a legal responsibility to keep that data safe. It is simply not good enough to react to a problem; organizations must protect themselves in advance. Otherwise they risk facing costly and time-consuming lawsuits without a leg to stand on.
Ian Tickle is channel manager, U.K. and Ireland, for Tripwire (www.tripwire.com)