Security complex

DTI figures show that IT security systems are dangerously inadequate. Alan Masson says that a three-tier system should be followed

Ask a firm for evidence of its IT policy and most will present some virus screening software and a firewall. In the modern world, this is painfully inadequate. Perhaps it is because of a false sense of security, or a lack of knowledge, that only a quarter of businesses spend more than 1 per cent of their IT budget on security and advances in both attack and defence strategies are often neglected. Whatever the cause, figures from the Department of Trade and Industry (DTI) are a cause for concern.

Even a large corporation such as the BBC cannot afford to be complacent about IT security, which was shown when it accidentally sent 10,000 of its Radio 4 listeners an email virus along with a programme update. Known as the Sobig Worm, the virus threatened to disable listeners' computers, despite the existence of the BBC's strict anti-virus system and a reportedly generous IT security budget.

So what can most businesses, with their comparatively lean IT security budgets, hope to accomplish in light of the speed with which technology develops and the increasingly sophisticated nature of some security attacks?

The truth is that there is a lot that can be done, particularly as most breaches of IT security have as much to do with internal practices as external communications. The DTI estimates that at least one third of serious security breaches come from inside an organisation, yet most firms persist in concentrating their efforts and budgets on perimeter security, such as firewalls and virus screening. A competent security management strategy should focus equally on the external, the perimeter and the internal environments.

An external security strategy should take into account the system's remote users, such as home workers, mobile workers and client extranets. For these purposes, data encryption and authentication facilities should be considered. Firms must also realise that some viruses can disable firewalls, and that all incoming emails should be screened before they enter the network perimeter.

Equally, perimeter security is not sufficient if the software is out of date. It is not unusual for firewalls that have been left untouched for several years to quietly leak information, and few firms can afford to let that happen.

An internal security strategy must take account of internal hackers. Accordingly, access to data should be monitored using data classification, tied-access policies and password protection. There are also physical threats to internal security, including individual access to servers and communications centres, and these must be addressed if the security system is to work as a coherent whole.

Security, however, is only partly about technology; it is as much about people and working practices and, as such, there are certain procedures that should be adopted to ensure that an information security policy is created and implemented successfully.

The most successful security management strategies operate in businesses where there is a whole culture geared towards understanding the values of security, and this can only begin with endorsement at all levels, including the partners or directors. This also involves regarding security as an investment in the firm's future, rather than as an overhead, and should include the appointment of an individual to coordinate security procedures and training.

Once the internal structure and manpower are in place, it is worth undertaking a security audit, which should be completed by an independent specialist consultant. When evaluating a potential consultant, look for up-to-date relevant security certification, a credible client base and financial stability. Remember that you are seeking relationships to help you secure your business and this approach should be reflected in the way the consultancy business itself is operated.

A consultant will help the business to establish a workable security policy and advise the firm on how to handle and protect its data. As no security policy can be 100 per cent safe, it is important to draft a business continuity plan so employees know what to do in the event of a security problem. Guidance can also be provided in establishing a training programme for employees.

Finally, it is crucial that all businesses view security as a dynamic and ongoing procedure and this involves making a commitment to keep up with new developments. This includes technological developments and legal developments, such as the Data Protection Act, which has profoundly changed the means by which businesses are required to collect and store information. The implications of an out-of-date or non-existent security policy are simply too great, and no business, regardless of its size, can afford the risk.

Alan Masson is a partner at MacRoberts Solicitors