e-Security
Network security dynamics that accompany this new electronic frontier are scaring local businesses off.
At least this was the conclusion reached by recent Deloitte Consulting survey. Survey results suggest that perceived security risks (commonly associated with taking business online) are seeing disproportionate number of local businesses relegate e-commerce to the too-hard basket.
The trouble, says Klaus Dorbecker, consultant with the IT division (specialising in risk management), is that most companies take minimalist or one-off approach to security. But what it really requires, he says, is consistent investment in security infrastructure that adds value.
What’s heightening the need for information risk management, says Dorbecker, is the growing awareness that e-commerce changes the security-risk profile of business.
The way he sees it, businesses have typically associated e-security with newfangled software tools instead of taking much more holistic approach. In fact, he urges companies not to install fancy security software unless they’re also prepared to implement information security policies. While most large organisations have an information security policy in place, Dorbecker suspects few bother to monitor or update it. He also suspects that less than 50 percent of small-to-medium-sized enterprises (SMEs) bother to establish information security policies at all.
The point that’s lost on many businesses, says Dorbecker, is that firewalls deal with external threats, while many security problems are in fact from internal sources. He adds, technology is typically not the problem, but rather the business policy in which it operates.
Admittedly, sophisticated encryption has addressed transactional security issues. But he says the innate openness of the Internet means companies remain highly vulnerable to security risks when communicating between enterprises.
“Information security should also determine storage requirements for all classified information. Unauthorised information disclosure should also address things like: visitor control, building security, access control and monitoring, hazardous materials, computer room and cabling security.”
Another commonly charted area of weaknesses, says Neil Butler, managing director with Wellington-based Optimation, is where website hooks to business partner electronically. “There’s typically firewall in place for the main site, but little is often known about the site that links into it.”
The two most common weaknesses typically identified during audit checks, says Butler, include:
? Exposure to unknown intentional exploits: Many systems have undetected exposure here. Especially from people who use other systems to forward information in large volumes to the site.
? Sucking information from databases hooked up to websites: Software that fools the website to pass on query without the necessary approvals. When this happens, customer details (for example, credit card numbers) can be sucked out of the website.
Says Butler: “Companies use fire-walls to protect corporate systems from accidental or malicious use. However, the messages that pass along supply chain are more complex than typical web traffic.
The complexity of the message requires sophisticated firewall software and complicated firewall configurations. This added complexity makes it more difficult and expensive to get the firewall functioning correctly.”
But Ian Taylor, of Seranova, says whether companies need to go to these lengths depends on the commercial value of the information they’re trying to protect.
“There are now sufficient security layers to stop people breaking through at technical level. Nevertheless, whether these measures are taken comes down to trade-off between the cost and how secure the information needs to be.”
It’s the underlying need for securing information at varying levels of the organisation, says Taylor, that must be established within the security policies of each respective company.
“It’s the growing sophistication of IT that’s made e-security necessary evil. Management are now taking e-security measures due to the utilisation of the Internet for standard business processes. And the more complex and the more critical transactions over the Internet become to the business, the greater the security measures needed to cope with them.”
by Mark Story