BUSINESS SECURITY : Security SOS – How safe is your business?

Ask any manager what’s the most important asset of business and they’ll tell you it’s customers, employees or both. Yet there is third asset without which business can’t function, customers can’t be serviced and employees won’t be paid, and that’s the information that’s unique to the business, whether it sits in people’s heads or on computer systems.
In March, the Taranaki Daily News reported the online antics of 14-year-old New Plymouth schoolboy Kyle Wadsworth who hacked into TVNZ’s new pay-TV website to watch new Shortland Street episodes for free. The site, which had not even been launched, was apparently breeze to crack – Wadsworth said he had been searching through an index on the website and after making slight changes, he was in.
On the same day, the North Shore Times reported that computer forensics specialist employed by North Shore company had found evidence of employee affairs, staff pornography downloads, corporate fraud, personal emails, banking records and Trade-
Me transactions on its computers.
The forensics specialist told the NST he is kept busy checking out the computer systems of worried current and former employers, and described the illegal activities of one man who stole the setup of his former employer, an online travel com-
pany, and then proceeded to run the business from home under slightly different name using his former employer’s intellectual property and customer contact list.
Tony Krzyzewski, managing director of data security company Kaon Technologies (which specialises in the ‘human factor’ of data security), says he’s seen all that and more – and probably in business exactly like the one you work in.
“The biggest data security threats we see are to do with businesses mismanaging their own internal resources – for example, assigning inappropriate access controls and passwords, failing to put passwords on systems, failing to secure iPods, USB flash drives and digital cameras; and failing to correctly control internet use. Most organisations haven’t come to grips with internet use, and many fail to close off individual network access when an employee leaves,” says Krzyzewski.
That’s right; loads of organisations forget to remove the network username and password access of former employee when they leave. If the ex-employee gets disgruntled or goes to work for competitor, guess what can happen next? Krzyzew-ski says one New Zealand salesperson left company but knew his network user rights hadn’t been disabled. Before he left, he set up his business email inbox to forward to his private email address so he would remain on the sales email list of his former employer. He then went to work for competitor. Because his former employer was actively forwarding him the sales meeting emails, the ex-employee wasn’t doing anything illegal by reading them.
“It took the former employer long time to work out how this guy was always one step ahead of their sales strategies,” says Krzyzewski.
As crazy as it seems, Krzyzewski says such mistakes are common because most organisations have ‘total IT department and HR disconnect’ – that is, the IT department is simply not informed the employee has left. And that’s just one more reason why data security should be an organisation-wide responsibility rather than an IT department ‘job’, says Krzyzewski.
He says many organisations don’t ‘get’ data security because as business tool the internet is only 10 years young, and he makes an analogy with early cars: initially there were no road rules because of the little danger posed by the few drivers on the road. When this changed, rules started to be imposed and Krzyzewski says many New Zealand organisations don’t see that internet-connected data systems are also ‘newly dangerous’ and young ‘drivers’ at the wheel often fail to understand the risk their employer faces.
“When person joins an organisation we thrust them in front of computer and give them password and user name, but we don’t tell them what is the appropriate use of internet and email services. We might have security policies and technologies, but do we train staff how to use them or explain why we have them?” Krzyzewski asks.
Meanwhile, the stakes for getting it wrong are high: global research reveals organised crime, not individuals hacking for glory, is now behind most data security breaches and sums of money as high as US$50,000 are paid to those who can find network or application weakness which can result in organisational compromise.
John Martin, security practice leader for security and IT implementer IBM, says IBM has seen data security breaches in New Zealand including compromised servers being turned into staff internet download centres; staff bending rules to overcome inhouse security policies; rampant virus infections, web user logins and passwords being stolen; and modern day ‘Robin Hood’ financial industry workers who steal from richer bank accounts and transfer the funds to lower income accounts.
There’s more, much more, but the main point is simple: data security is not ‘dry’ issue to be placed somewhere near the bottom of an executive ‘to do’ list. In the internet age it needs to be right up there beside keeping staff and customers happy, and it needs to be constantly revisited.
Nor is it just hackers and unscrupulous employees that managers need to worry about – there’s also all those genuine data security mistakes people make, such as accessing confidential information without meaning to, sending out the wrong email campaign to the wrong client, or connecting virus-laden laptop to an unsecured data network bringing the latter to crashing halt.
Then there are the power outages, floods, network crashes and other extreme events that compromise the security of the data business relies on having access to.
An international study by the Economist Intelligence Unit found 47 percent of businesses surveyed believe unplanned systems downtime lasting 24 hours or more could jeopardise the survival of their entire business.
The survey, which interviewed 117 risk managers in businesses from range of industries and countries, also found 75 percent of companies had decided to increase the time and resources they dedicated to risk management, and 71 percent reported similar increase in the focus on business continuity programs and backup systems following problems such as power outage, human error and unplanned downtime.
Meanwhile, loss of data and human error were considered the most significant threats to overall business operations by 36 percent and 35 percent of respondents respectively.
“There’s not much point having really secure network if it’s not available. Businesses need business continuity plan that goes something like: if we lose power for one hour, we will take these responses, if it’s five hours we will have these responses. The solutions don’t have to be expensive – they might be to just work from home instead of the office – but you have to know what are the key things needed to keep your business running,” says Krzyzewski.
So who do you call for an end-to-end data security solution? Well, not just your IT manager or CIO, although you should obviously include them in board or executive level meetings when data security is discussed. Ideally though, business-wide approach to data security will involve the executive management of the business in conjunction with data security specialist or IT implementer. These providers tend to take an ‘umbrella’ view of data security and can bring in sub-contractors and ‘best of breed’ security technologies and solutions like those used to control and monitor email, fight spam, facilitate business continuity or develop internal security policies and user training.
Richard Prowse, country manager for data security brands Symantec and Veritas, says fortunately, more businesses are moving away from the mentality of securing specific resource like 1000 laptops, and taking more holistic approach to